Getting Data In

How to configure blacklist in inputs.conf file on Linux?


Hi ,

We have Splunk forwarder on a Linux platform. I wanted to add a blacklist to my inputs.conf file. Please help me with command which helps me to add this entry to my existing configured monitor.



There are a few ways to do this in inputs.conf.

Apply it to a monitor like this:
blacklist = 538|540|576

Apply to all monitors and creates an error if a monitor returns a blacklisted file.
* Protect files on the filesystem from being indexed or previewed.
* Splunk will treat a file as blacklisted if it starts with any of the defined blacklisted .
* The preview endpoint will return and error when asked to preview a blacklisted file.
* The oneshot endpoint and command will also return an error.
* When a blacklisted file is monitored (monitor:// or batch://), filestatus endpoint will show an error.
* For fschange with sendFullEvent option enabled, contents of backlisted files will not be indexed.

I'm guessing you've already seen this:


Hi ,

I want the Linux command to add this blacklist to my existing monitor log path.

e.g ./splunk edit monitor \app\log -index test

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!