How to configure blacklist in inputs.conf file on ...

chris1 · ‎09-09-2015

Hi ,

We have Splunk forwarder on a Linux platform. I wanted to add a blacklist to my inputs.conf file. Please help me with command which helps me to add this entry to my existing configured monitor.

Thanks,

jaredlaney · ‎09-09-2015

There are a few ways to do this in inputs.conf.

Apply it to a monitor like this:
[monitor:///data/splunk/test/test*.csv]
blacklist = 538|540|576

Apply to all monitors and creates an error if a monitor returns a blacklisted file.
[blacklist:]
* Protect files on the filesystem from being indexed or previewed.
* Splunk will treat a file as blacklisted if it starts with any of the defined blacklisted .
* The preview endpoint will return and error when asked to preview a blacklisted file.
* The oneshot endpoint and command will also return an error.
* When a blacklisted file is monitored (monitor:// or batch://), filestatus endpoint will show an error.
* For fschange with sendFullEvent option enabled, contents of backlisted files will not be indexed.

I'm guessing you've already seen this:
http://answers.splunk.com/answers/119493/parameter-blacklist-in-inputs-conf.html

chris1 · ‎09-09-2015

Hi ,

I want the Linux command to add this blacklist to my existing monitor log path.

e.g ./splunk edit monitor \app\log -index test

How to configure blacklist in inputs.conf file on Linux?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?