Getting Data In

How to configure blacklist in inputs.conf file on Linux?

chris1
Explorer

Hi ,

We have Splunk forwarder on a Linux platform. I wanted to add a blacklist to my inputs.conf file. Please help me with command which helps me to add this entry to my existing configured monitor.

Thanks,

jaredlaney
Contributor

There are a few ways to do this in inputs.conf.

Apply it to a monitor like this:
[monitor:///data/splunk/test/test*.csv]
blacklist = 538|540|576

Apply to all monitors and creates an error if a monitor returns a blacklisted file.
[blacklist:]
* Protect files on the filesystem from being indexed or previewed.
* Splunk will treat a file as blacklisted if it starts with any of the defined blacklisted .
* The preview endpoint will return and error when asked to preview a blacklisted file.
* The oneshot endpoint and command will also return an error.
* When a blacklisted file is monitored (monitor:// or batch://), filestatus endpoint will show an error.
* For fschange with sendFullEvent option enabled, contents of backlisted files will not be indexed.

I'm guessing you've already seen this:
http://answers.splunk.com/answers/119493/parameter-blacklist-in-inputs-conf.html

chris1
Explorer

Hi ,

I want the Linux command to add this blacklist to my existing monitor log path.

e.g ./splunk edit monitor \app\log -index test

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...