Getting Data In

Is blacklist recursive

tkw03
Communicator

I have an inputs.conf stanza that I want to add. I am adding it to monitor all files and sub-directories. Throughout these sub-directories there are .bz2 files that I dont want to ingest. What would be the best way? I was thinking blacklist the bz2 files but that may not be the best way? Maybe there's a better way?

[monitor:///var/log/remote/*]
blacklist=(*.bz2*)
index=nix_os
disabled = 0

There could be any number of sub-directories below the remote/ parent directory.

Thanks!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The asterisk * will not recurse through subfolders. See this:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Specifyinputpathswithwildcards#Input_example...

I would use something like this. Assuming bz2 is the file extension

[monitor:///var/log/remote/*]
whitelist=\.bz2$
index=nix_os
disabled = 0
recursive=true           #true by default

View solution in original post

0 Karma

13tsavage
Communicator

Splunk Docs has good documentation explaining how to whitelist and blacklist file paths. The blacklist and whitelist sections requires custom regex expressions. So yes, there are ways to blacklist all files of a specific file type .bz2 in your case.

See the Blacklist (ignore) files in Whitelist or blacklist specific incoming data

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The asterisk * will not recurse through subfolders. See this:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Specifyinputpathswithwildcards#Input_example...

I would use something like this. Assuming bz2 is the file extension

[monitor:///var/log/remote/*]
whitelist=\.bz2$
index=nix_os
disabled = 0
recursive=true           #true by default
0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...