Getting Data In

How to exclude files and folders from monitoring

catch_mili
Explorer

This is with respect to my earlier post /root monitoring.
Now I am able to captured activities done under /root, But I have one small query That, how can I exclude certain files and folders from monitoring.

Is there any way out ?

Because under /root there are number of files and folders, which I dont want to monitored all of them.

Tags (1)
0 Karma

MuS
Legend

Hi catch_mili

you black- and whitelist any input, read more at http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Whitelistorblacklistspecificincomingdata

cheers,
MuS

catch_mili
Explorer

Hi Ayn,

Appericiate, if you give me an example.

Even, I tried this one
[filter:blacklist:file.txt]
regex1 = .*txt
[fschange:/etc]
filters = file.txt

0 Karma

catch_mili
Explorer

[monitor:///etc]
blacklist = (xyzfile)

didnt worked, If i do any changes it is detected by Splunk, However, I have blacklisted that file.

Pls. help...

0 Karma

Ayn
Legend

Your syntax for fschange blacklisting is still wrong.

0 Karma

catch_mili
Explorer

[fschange:/]
followLinks=true
pollPeriod=120
index = os
disabled = 0
blacklist = .(txt)$

0 Karma

catch_mili
Explorer

[monitor:///etc]
_whitelist=(.conf|.cfg|config$|.ini|.init|.cf|.cnf|shrc$|^ifcfg|.profile|.rc|.rules|.tab|tab$|.login|policy$)
_blacklist = .(txt)$
index=os
disabled = 0

I have blacklist .txt files from monitoring, but if I do any modification in File it still shows under file modify Tab.

0 Karma

catch_mili
Explorer

What will be the syntax if I dont want to monitor /root/folder
below is just an example, assume, I dont want to monitor particular folder under /root

[monitor:///root]
blacklist = .(foldername)$

Will this work ?

0 Karma

catch_mili
Explorer

[fschange:/root]
followLinks=true
pollPeriod=120
index = os
disabled = 0
blacklist = . (tempfile) $

Actually, monitoring /root, under I have one tempfile which I dont want to monitored. But when I do changes its captured by Splunk, not sure where went wrong pasted entry above.

Pls. help.

0 Karma

Ayn
Legend

catch_mili, generally reading the docs is a good idea.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...