Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use blacklist in inputs.conf?

knalla
Path Finder
‎08-28-2018 01:43 PM

Hi,

How do you edit inputs.conf to blacklist some hosts from indexing and index those hosts to different index?

list of the servers:

/opt/logs/
server1
server2
server3
server4
server5
server6

inputs.conf

[monitor:///opt/logs/*/*log]
disabled = 0
host_segment = 4
index = abc
blacklist=(server4|server5)
sourcetype = abc
blacklist = .gz$

[monitor:///opt/logs/*/*log]
disabled = 0
host_segment = 4
index = xyz
whitelsit=(server4|server5)
sourcetype = abc
blacklist = .gz$

0 Karma
Reply

sudosplunk
Motivator
‎08-29-2018 06:39 AM

If a file matches the regexes in both the blacklist and whitelist settings, the file is NOT monitored. Blacklists take precedence over whitelists.

Try this combination in inputs.conf and see of it works,

[monitor:///opt/logs/*/*log]
disabled = 0
host_segment = 4
index = abc
whitelist=(server1|server2|server3|server6)
sourcetype = abc
blacklist = .gz$

[monitor:///opt/logs/*/*log]
disabled = 0
host_segment = 4
index = xyz
whitelsit=(server4|server5)
sourcetype = abc
blacklist = .gz$

Also, based on your monitor statement, I don't think host_segment=4 will pick up directory name as hostname. Try host_segment=3.

For example, if you set host_segment=3 and the monitor path is /opt/logs/host01/some.log, Splunk software sets the host as "host01" because that is the third segment.

Reply

knalla
Path Finder
‎08-30-2018 09:03 AM

Thanks for the response, I have multiple hosts to white list around 200 and black list around 10.

can I use 2 blacklists in a stanza, one for the hosts and one for .gz$?

0 Karma
Reply

sudosplunk
Motivator
‎08-30-2018 10:56 AM

Since blacklist supports regex, you can define regex to capture all 200 OR 10 hosts. Let me know how your hostname(s) looks like and I will try to provide a regex.

To my knowledge, you should be able to use 2 blacklists but be sure to number them, blacklist1, blacklist2, blacklist3 so on. More details here.

Alternatively, this should also work, blacklist = server1|\.gz$

0 Karma
Reply

pruthvikrishnap
Contributor
‎08-28-2018 02:14 PM

Hi,
You can do this, please find the docs below.
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_data_by_ta...
you will have to blacklist them and assign to a different group name and mention that in outputs.conf

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...