How to configure blacklist in inputs.conf file on ...

chris1 · ‎09-09-2015

Hi ,

We have Splunk forwarder on a Linux platform. I wanted to add a blacklist to my inputs.conf file. Please help me with command which helps me to add this entry to my existing configured monitor.

Thanks,

jaredlaney · ‎09-09-2015

There are a few ways to do this in inputs.conf.

Apply it to a monitor like this:
[monitor:///data/splunk/test/test*.csv]
blacklist = 538|540|576

Apply to all monitors and creates an error if a monitor returns a blacklisted file.
[blacklist:]
* Protect files on the filesystem from being indexed or previewed.
* Splunk will treat a file as blacklisted if it starts with any of the defined blacklisted .
* The preview endpoint will return and error when asked to preview a blacklisted file.
* The oneshot endpoint and command will also return an error.
* When a blacklisted file is monitored (monitor:// or batch://), filestatus endpoint will show an error.
* For fschange with sendFullEvent option enabled, contents of backlisted files will not be indexed.

I'm guessing you've already seen this:
http://answers.splunk.com/answers/119493/parameter-blacklist-in-inputs-conf.html

chris1 · ‎09-09-2015

Hi ,

I want the Linux command to add this blacklist to my existing monitor log path.

e.g ./splunk edit monitor \app\log -index test

How to configure blacklist in inputs.conf file on Linux?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation