Getting Data In

How to configure blacklist in inputs.conf file on Linux?

chris1
Explorer

Hi ,

We have Splunk forwarder on a Linux platform. I wanted to add a blacklist to my inputs.conf file. Please help me with command which helps me to add this entry to my existing configured monitor.

Thanks,

jaredlaney
Contributor

There are a few ways to do this in inputs.conf.

Apply it to a monitor like this:
[monitor:///data/splunk/test/test*.csv]
blacklist = 538|540|576

Apply to all monitors and creates an error if a monitor returns a blacklisted file.
[blacklist:]
* Protect files on the filesystem from being indexed or previewed.
* Splunk will treat a file as blacklisted if it starts with any of the defined blacklisted .
* The preview endpoint will return and error when asked to preview a blacklisted file.
* The oneshot endpoint and command will also return an error.
* When a blacklisted file is monitored (monitor:// or batch://), filestatus endpoint will show an error.
* For fschange with sendFullEvent option enabled, contents of backlisted files will not be indexed.

I'm guessing you've already seen this:
http://answers.splunk.com/answers/119493/parameter-blacklist-in-inputs-conf.html

chris1
Explorer

Hi ,

I want the Linux command to add this blacklist to my existing monitor log path.

e.g ./splunk edit monitor \app\log -index test

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!