Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to exclude some specific files in a monitored Source folder from being indexed?

Abilan1
Path Finder
‎08-24-2015 09:28 AM

Hi,

I have added my log folder in Splunk monitoring. I want to exclude the files that start with Test from Splunk monitoring. Is it possible? Please suggest me a solution on this. There are so many unwanted files that are getting created in that log folder and it is getting uploaded into Splunk and affecting daily license usage.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jensonthottian
Contributor
‎08-24-2015 10:16 AM

Configure your exclusion in props.conf file :

To exclude this file from being picked up by the forwarder, I think you can use a blacklist http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Whitelistorblacklistspecificincomingdata

[monitor:///directory]
blacklist = (test$)

View solution in original post

Reply
Solved! Jump to solution
Solution

jensonthottian
Contributor
‎08-24-2015 10:16 AM

Configure your exclusion in props.conf file :

To exclude this file from being picked up by the forwarder, I think you can use a blacklist http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/Whitelistorblacklistspecificincomingdata

[monitor:///directory]
blacklist = (test$)

Reply
Solved! Jump to solution

Abilan1
Path Finder
‎08-24-2015 11:15 PM

Hi ,

I have tested with the files which has "test" in word, but the file name is sample.txt and it is uploaded into splunk. So I think it is not looking into the content, only file name.

0 Karma
Reply
Solved! Jump to solution

Abilan1
Path Finder
‎08-24-2015 10:48 AM

Hi,

I think we need to update in inputs.conf right? Also I tried blacklist = (test$) it is not working as expected. am still seeing the test files in Splunk.

Reply
Solved! Jump to solution

jensonthottian
Contributor
‎08-24-2015 10:55 AM

my bad- it would be inputs.conf for blacklisting.

[monitor:///pathtologdir]
blacklist=Test

And that will not index files that contain strings matching "Test".

Please remember to restart your splunkd.

0 Karma
Reply
Solved! Jump to solution

Abilan1
Path Finder
‎08-24-2015 11:01 AM

Hi ,

Thanks! it rejects only file names with name Test right? or it search content of all files also?

0 Karma
Reply
Solved! Jump to solution

Abilan1
Path Finder
‎08-24-2015 11:54 AM

Hi,

Thank you so much for your help. Please confirm, it rejects only file names with Test or it will look for files content as well?

0 Karma
Reply
Solved! Jump to solution

jensonthottian
Contributor
‎08-24-2015 12:02 PM

It will reject all.
for only files use this :

blacklist=Test.*

0 Karma
Reply
Solved! Jump to solution

jensonthottian
Contributor
‎08-24-2015 12:03 PM

\ frontslash in between "t" and "."

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

What’s New in Splunk Enterprise 9.4: Tools for Digital ResilienceTune in to What’s New in Splunk Enterprise ...

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...