Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issue with blacklisting service name in inputs.conf file

fresned
Path Finder
‎04-02-2012 11:26 AM

I have 6 directories that I'm indexing from

/tom/
/linda/
/joe/
/time/
/jil/
/sue/

Each of the directories has a number of files in them I'm trying to black list anything in the directory that begins with foo

The inputs.conf file looks like this

[monitor://tom/*.*]
sourcetype = userTom
disable = 0
blacklist = .*\/\..*|foo*

and so on

[monitor://sue/*.*]
sourcetype = userSue
disable = 0
blacklist = .*\/\..*|foo*

This does not seem to work.

I have also look been looking into the filtering of information with inputs.conf. But cannot find an example that describes how to set this up.

[filter:<filtertype>:<filtername>]
* Define a filter of type <filtertype> and name it <filtername>.
* <filtertype>:
  * Filter types are either 'blacklist' or 'whitelist.' 
  * A whitelist filter processes all file names that match the regex list.
  * A blacklist filter skips all file names that match the regex list.
* <filtername>
  * The filter name is used in the comma-separated list when defining a file system monitor.

Any help would be great

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎04-04-2012 05:40 AM

Should be like this:

[monitor:///tom]
sourcetype = userTom
disable = 0
blacklist = foo.*

First, the monitor stanzas are URL-like - monitor:// plus the path. Your example had only the two slashes, which would have probably put it relative to $SPLUNK_HOME. And I don't think $SPLUNK_HOME/tom was what you wanted to monitor.

Second, you aren't required to put a filespec in the monitor:// stanza - the *.* is not necessary. If you do put a filespec, however, you shouldn't expect whitelist or blacklist to work. (Internally, Splunk uses whitelist and blacklist to implement the wildcard specification you give)

Third, these are regexes, not globbing-style wildcard expansions. foo* means "f, followed by o, followed by zero or more o" -- so "foo" will match, and so will "fo", and "foooooooooooooooooooo". To make the glob-syle pattern foo* you need to make your regex foo.*. To make the glob-style pattern foo.* you need to make your regex foo\..*

Finally, the filter stanzas in inputs.conf are not used for monitor:// stanzas, but for fschange stanzas. So, you wouldn't use those unless you were setting up fschange.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...