Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my inputs.conf to blacklist a directory?

Michael
Contributor
‎02-13-2017 11:20 AM

Apologies, but I'm not groking this. I've read dozens of "answers", I've read several docs on the topic. But, I can't find a way to blacklist a directory. Is it even possible? The Docs say it's possible, but demonstrate it with file extensions (ie.: ".bak$"), implying it can only be done on files, not directories... I have a deployer and universal clients, Splunk 6.5.

In this example, I'm simply trying to prevent gitlab entries. Please, can someone give me the straight answer as to what I should use? (Please don't give me a link to follow, chances are I've been there).

I'm using the stanza in my inputs.conf:

[monitor:///var/log]
disabled = 0

...and for the blacklist statement, I've tried a gazillion things, including:

blacklist = "/var/log/gitlab/*"
blacklist = \/var\/log\/gitlab\/*
blacklist = gitlab.$
blacklist = gitlab/.$
blacklist = ///var/log/gitlab
blacklist = %gitlab/%$
blacklist = gitlab\.$

and multiple variations of the above...
etc., etc., etc.

Thanks for your help,
~Frusterated

0 Karma
Reply

edoardo_vicendo
Contributor
‎01-30-2020 06:57 AM

I struggled a little bit mee too on those backlists in [monitor://] stanza.

The point is that you should write a regular expression and not the absolute path
Try this balcklist setting in your stanza, it should work

[monitor:///var/log]
disabled=0
blacklist=\/var\/log\/gitlab\/.*
0 Karma
Reply

dantimola
Communicator
‎07-25-2017 09:33 PM

This answer is late, but for this problem you can just add the stanza below for your inputs.conf

 [blacklist://<path>]

Cheers,
Dan

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎02-14-2017 08:06 PM

I will share a "clever trick" I use to decide how a whitelist / blacklist combination is going to work on a directory structure. Use the unix find command as follows:

find $PATH -print | egrep $WHITELIST | egrep -v $BLACKLIST

Things that survive this will be processed by the monitor stanza in question.

Reply

Michael
Contributor
‎02-15-2017 05:12 AM

Interesting...
will have to try this, thanks for sharing it!

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎02-13-2017 12:00 PM

Try this

blacklist = \/gitlab\/
0 Karma
Reply

Michael
Contributor
‎02-14-2017 01:20 PM

Hey, it looks like it's working! blacklist = \/gitlab\/

BUT, that invites another mystery...

I've seen this before: I'll make changes in my deployment server, push the changes, and some will take effect immediately -- some won't until some time passes, like this one. This is the second time this has happened where I'll try something, it won't work, then I'll go home at the end of my workday (around 4:00 PM local). Then I'll come in the next day and it will be working. In both cases, I looked at the timeline and saw that the change kicked in (or, stopped getting log entries in this case) around 8:00 PM that same day.

Anyone else observe this behavior?

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎03-19-2017 05:33 PM

@Michael - Did the answer/comment provided by somesoni2 help provide a working solution to your original question? If yes, please let me know so I can convert it to an answer to be accepted. If no, please leave a comment with more feedback. Thanks!

0 Karma
Reply

lguinn2
Legend
‎02-14-2017 03:25 PM

In serverclass.conf, do you have the app set so that the forwarder automatically restarts? Because in general, the forwarder must restart in order for any changes to take effect. That includes changes to inputs.conf

0 Karma
Reply

Michael
Contributor
‎02-15-2017 05:11 AM

Yes.

As I said, most changes will take place within minutes. In fact, on this very system is question, when making changes, I actually made two: one pointed it to another index, and one was the blacklist. The index change took place immediately (confirming for me the app edit and reload was working as it should). But this odd delay in other things... happened twice now.

I wonder if it's a "bug" similar to what can happen when you manually edit the XML of a dashboard, and nothing you do with your browser refreshes the GUI until you execute a refresh...or wait.

Just an oddity, I guess it's not a big deal...

0 Karma
Reply

Michael
Contributor
‎02-13-2017 12:26 PM

Sorry, but nope. Has that actually worked for you, or are guessing?

I know my inputs.conf file is being deployed properly, because this system (Server Class) was previously feeding into another index. I used this to make other changes, including the index destination and "host = $decideOnStartup" (which is a very cool trick, BTW) -- and they all took. But I just can't get the "blacklist" to work...

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎02-13-2017 12:51 PM

I haven't tested it but I've done similar thing for other use-cases of mine. Try being more specific and check the case of regex string.

blacklist = \/gitlab\/.+$

OR 

blacklist = gitlab
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...