Getting Data In

How to blacklist two different hosts in inputs.conf?


Hi All, Can any one guide me on how to blacklist two different host in the same inputs.conf files in Heavy Forwarder (HF) instance?

Currently we have the below inputs.conf set and in which we have already blacklisted a host but I want to add another host along with the below host, so that the logs from this host are not indexed in the same indexer.

example: want to blacklist sep01 logs from this path /opt/syslogs/generic/sep01/Sep01.log in the below inputs.conf

sourcetype = syslog
host_segment = 4
blacklist = dxx*lxx*

Kindly guide me on this to fix this problem.

thanks in advance.

0 Karma


The blacklist attribute takes a regular expression so you could try something like

blacklist = (dxx*lxx|.*\/sep01\/)
If this reply helps you, an upvote would be appreciated.
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!