Re: How to exclude a specific file?

balcv · ‎11-02-2022

I'm trying to exclude a specific file called catalina.out in /var/log/tomcat9/ from being processed by Splunk. The file is being sent to my heavy forwarder and I have the following in inputs.conf

[monitor:///var/log/tomcat9]
blacklist=(catalina\.out)
disabled = 0

The data continues to be processed. What am I missing?

richgalloway · ‎11-02-2022

Despite being a regular expression, there's no need to escape dots in blacklist or whitelist. There's no need for a capture group, either.

[monitor:///var/log/tomcat9]
blacklist = catalina.out
disabled = 0

Don't forget to specify an index and sourcetype in the inputs.conf stanza.

---
If this reply helps you, Karma would be appreciated.

balcv · ‎11-02-2022

Thanks @richgalloway . I've removed the escape and added the index and source as suggested but that data is still appearing.

[monitor:///var/log/tomcat9]
blacklist= catalina.out
index= main
source= catalina.out
disabled = 0

Can the order of the monitor statements have an impact? For example could a preceding statement override this statement if the previous statement is for ///var/log but does not specifically reference tomcat9?

richgalloway · ‎11-04-2022

Stanza order may be significant. Try swapping them.

---
If this reply helps you, Karma would be appreciated.

How to exclude a specific file?

heavy forwarder

inputs.conf

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?