Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use blacklist in inputs.conf?

knalla
Path Finder
‎08-28-2018 01:43 PM

Hi,

How do you edit inputs.conf to blacklist some hosts from indexing and index those hosts to different index?

list of the servers:

/opt/logs/
server1
server2
server3
server4
server5
server6

inputs.conf

[monitor:///opt/logs/*/*log]
disabled = 0
host_segment = 4
index = abc
blacklist=(server4|server5)
sourcetype = abc
blacklist = .gz$

[monitor:///opt/logs/*/*log]
disabled = 0
host_segment = 4
index = xyz
whitelsit=(server4|server5)
sourcetype = abc
blacklist = .gz$

0 Karma
Reply

sudosplunk
Motivator
‎08-29-2018 06:39 AM

If a file matches the regexes in both the blacklist and whitelist settings, the file is NOT monitored. Blacklists take precedence over whitelists.

Try this combination in inputs.conf and see of it works,

[monitor:///opt/logs/*/*log]
disabled = 0
host_segment = 4
index = abc
whitelist=(server1|server2|server3|server6)
sourcetype = abc
blacklist = .gz$

[monitor:///opt/logs/*/*log]
disabled = 0
host_segment = 4
index = xyz
whitelsit=(server4|server5)
sourcetype = abc
blacklist = .gz$

Also, based on your monitor statement, I don't think host_segment=4 will pick up directory name as hostname. Try host_segment=3.

For example, if you set host_segment=3 and the monitor path is /opt/logs/host01/some.log, Splunk software sets the host as "host01" because that is the third segment.

Reply

knalla
Path Finder
‎08-30-2018 09:03 AM

Thanks for the response, I have multiple hosts to white list around 200 and black list around 10.

can I use 2 blacklists in a stanza, one for the hosts and one for .gz$?

0 Karma
Reply

sudosplunk
Motivator
‎08-30-2018 10:56 AM

Since blacklist supports regex, you can define regex to capture all 200 OR 10 hosts. Let me know how your hostname(s) looks like and I will try to provide a regex.

To my knowledge, you should be able to use 2 blacklists but be sure to number them, blacklist1, blacklist2, blacklist3 so on. More details here.

Alternatively, this should also work, blacklist = server1|\.gz$

0 Karma
Reply

pruthvikrishnap
Contributor
‎08-28-2018 02:14 PM

Hi,
You can do this, please find the docs below.
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_data_by_ta...
you will have to blacklist them and assign to a different group name and mention that in outputs.conf

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...