Re: How to exclude a specific file?

balcv · ‎11-02-2022

I'm trying to exclude a specific file called catalina.out in /var/log/tomcat9/ from being processed by Splunk. The file is being sent to my heavy forwarder and I have the following in inputs.conf

[monitor:///var/log/tomcat9]
blacklist=(catalina\.out)
disabled = 0

The data continues to be processed. What am I missing?

richgalloway · ‎11-02-2022

Despite being a regular expression, there's no need to escape dots in blacklist or whitelist. There's no need for a capture group, either.

[monitor:///var/log/tomcat9]
blacklist = catalina.out
disabled = 0

Don't forget to specify an index and sourcetype in the inputs.conf stanza.

---
If this reply helps you, Karma would be appreciated.

balcv · ‎11-02-2022

Thanks @richgalloway . I've removed the escape and added the index and source as suggested but that data is still appearing.

[monitor:///var/log/tomcat9]
blacklist= catalina.out
index= main
source= catalina.out
disabled = 0

Can the order of the monitor statements have an impact? For example could a preceding statement override this statement if the previous statement is for ///var/log but does not specifically reference tomcat9?

richgalloway · ‎11-04-2022

Stanza order may be significant. Try swapping them.

---
If this reply helps you, Karma would be appreciated.

How to exclude a specific file?

heavy forwarder

inputs.conf

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)