Getting Data In

Issue with blacklisting service name in inputs.conf file

Path Finder

I have 6 directories that I'm indexing from


Each of the directories has a number of files in them I'm trying to black list anything in the directory that begins with foo

The inputs.conf file looks like this

sourcetype = userTom
disable = 0
blacklist = .*\/\..*|foo*

and so on

sourcetype = userSue
disable = 0
blacklist = .*\/\..*|foo*

This does not seem to work.

I have also look been looking into the filtering of information with inputs.conf. But cannot find an example that describes how to set this up.

* Define a filter of type <filtertype> and name it <filtername>.
* <filtertype>:
  * Filter types are either 'blacklist' or 'whitelist.' 
  * A whitelist filter processes all file names that match the regex list.
  * A blacklist filter skips all file names that match the regex list.
* <filtername>
  * The filter name is used in the comma-separated list when defining a file system monitor.

Any help would be great

Tags (1)
0 Karma


Should be like this:

sourcetype = userTom
disable = 0
blacklist = foo.*

First, the monitor stanzas are URL-like - monitor:// plus the path. Your example had only the two slashes, which would have probably put it relative to $SPLUNK_HOME. And I don't think $SPLUNK_HOME/tom was what you wanted to monitor.

Second, you aren't required to put a filespec in the monitor:// stanza - the *.* is not necessary. If you do put a filespec, however, you shouldn't expect whitelist or blacklist to work. (Internally, Splunk uses whitelist and blacklist to implement the wildcard specification you give)

Third, these are regexes, not globbing-style wildcard expansions. foo* means "f, followed by o, followed by zero or more o" -- so "foo" will match, and so will "fo", and "foooooooooooooooooooo". To make the glob-syle pattern foo* you need to make your regex foo.*. To make the glob-style pattern foo.* you need to make your regex foo\..*

Finally, the filter stanzas in inputs.conf are not used for monitor:// stanzas, but for fschange stanzas. So, you wouldn't use those unless you were setting up fschange.

Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...