Getting Data In

How to exclude files and folders from monitoring

catch_mili
Explorer

This is with respect to my earlier post /root monitoring.
Now I am able to captured activities done under /root, But I have one small query That, how can I exclude certain files and folders from monitoring.

Is there any way out ?

Because under /root there are number of files and folders, which I dont want to monitored all of them.

Tags (1)
0 Karma

MuS
Legend

Hi catch_mili

you black- and whitelist any input, read more at http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Whitelistorblacklistspecificincomingdata

cheers,
MuS

catch_mili
Explorer

Hi Ayn,

Appericiate, if you give me an example.

Even, I tried this one
[filter:blacklist:file.txt]
regex1 = .*txt
[fschange:/etc]
filters = file.txt

0 Karma

catch_mili
Explorer

[monitor:///etc]
blacklist = (xyzfile)

didnt worked, If i do any changes it is detected by Splunk, However, I have blacklisted that file.

Pls. help...

0 Karma

Ayn
Legend

Your syntax for fschange blacklisting is still wrong.

0 Karma

catch_mili
Explorer

[fschange:/]
followLinks=true
pollPeriod=120
index = os
disabled = 0
blacklist = .(txt)$

0 Karma

catch_mili
Explorer

[monitor:///etc]
_whitelist=(.conf|.cfg|config$|.ini|.init|.cf|.cnf|shrc$|^ifcfg|.profile|.rc|.rules|.tab|tab$|.login|policy$)
_blacklist = .(txt)$
index=os
disabled = 0

I have blacklist .txt files from monitoring, but if I do any modification in File it still shows under file modify Tab.

0 Karma

catch_mili
Explorer

What will be the syntax if I dont want to monitor /root/folder
below is just an example, assume, I dont want to monitor particular folder under /root

[monitor:///root]
blacklist = .(foldername)$

Will this work ?

0 Karma

catch_mili
Explorer

[fschange:/root]
followLinks=true
pollPeriod=120
index = os
disabled = 0
blacklist = . (tempfile) $

Actually, monitoring /root, under I have one tempfile which I dont want to monitored. But when I do changes its captured by Splunk, not sure where went wrong pasted entry above.

Pls. help.

0 Karma

Ayn
Legend

catch_mili, generally reading the docs is a good idea.

0 Karma
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...