Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to exclude some specific files in a monito...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have added my log folder in Splunk monitoring. I want to exclude the files that start with Test from Splunk monitoring. Is it possible? Please suggest me a solution on this. There are so many unwanted files that are getting created in that log folder and it is getting uploaded into Splunk and affecting daily license usage.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configure your exclusion in props.conf file :
To exclude this file from being picked up by the forwarder, I think you can use a blacklist http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Whitelistorblacklistspecificincomingdata
[monitor:///directory]
blacklist = (test$)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configure your exclusion in props.conf file :
To exclude this file from being picked up by the forwarder, I think you can use a blacklist http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Whitelistorblacklistspecificincomingdata
[monitor:///directory]
blacklist = (test$)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
I have tested with the files which has "test" in word, but the file name is sample.txt and it is uploaded into splunk. So I think it is not looking into the content, only file name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I think we need to update in inputs.conf right? Also I tried blacklist = (test$) it is not working as expected. am still seeing the test files in Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my bad- it would be inputs.conf for blacklisting.
[monitor:///pathtologdir]
blacklist=Test
And that will not index files that contain strings matching "Test".
Please remember to restart your splunkd.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
Thanks! it rejects only file names with name Test right? or it search content of all files also?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you so much for your help. Please confirm, it rejects only file names with Test or it will look for files content as well?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It will reject all.
for only files use this :
blacklist=Test.*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
\ frontslash in between "t" and "."
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
