Re: How to blacklist two different hosts in inputs...

Hemnaath · ‎12-07-2016

Hi All, Can any one guide me on how to blacklist two different host in the same inputs.conf files in Heavy Forwarder (HF) instance?

Currently we have the below inputs.conf set and in which we have already blacklisted a host but I want to add another host along with the below host, so that the logs from this host are not indexed in the same indexer.

example: want to blacklist sep01 logs from this path /opt/syslogs/generic/sep01/Sep01.log in the below inputs.conf

[monitor:///opt/syslogs/generic/.../*.log]
sourcetype = syslog
host_segment = 4
blacklist = dxx*lxx*
index=unix_svrs

Kindly guide me on this to fix this problem.

thanks in advance.

richgalloway · ‎12-07-2016

The blacklist attribute takes a regular expression so you could try something like

blacklist = (dxx*lxx|.*\/sep01\/)

---
If this reply helps you, Karma would be appreciated.

How to blacklist two different hosts in inputs.conf?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation