Getting Data In

How to configure blacklist in inputs.conf file on Linux?

chris1
Explorer

Hi ,

We have Splunk forwarder on a Linux platform. I wanted to add a blacklist to my inputs.conf file. Please help me with command which helps me to add this entry to my existing configured monitor.

Thanks,

jaredlaney
Contributor

There are a few ways to do this in inputs.conf.

Apply it to a monitor like this:
[monitor:///data/splunk/test/test*.csv]
blacklist = 538|540|576

Apply to all monitors and creates an error if a monitor returns a blacklisted file.
[blacklist:]
* Protect files on the filesystem from being indexed or previewed.
* Splunk will treat a file as blacklisted if it starts with any of the defined blacklisted .
* The preview endpoint will return and error when asked to preview a blacklisted file.
* The oneshot endpoint and command will also return an error.
* When a blacklisted file is monitored (monitor:// or batch://), filestatus endpoint will show an error.
* For fschange with sendFullEvent option enabled, contents of backlisted files will not be indexed.

I'm guessing you've already seen this:
http://answers.splunk.com/answers/119493/parameter-blacklist-in-inputs-conf.html

chris1
Explorer

Hi ,

I want the Linux command to add this blacklist to my existing monitor log path.

e.g ./splunk edit monitor \app\log -index test

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...