Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Issue with blacklisting service name in inputs.conf file

fresned
Path Finder
‎04-02-2012 11:26 AM

I have 6 directories that I'm indexing from

/tom/
/linda/
/joe/
/time/
/jil/
/sue/

Each of the directories has a number of files in them I'm trying to black list anything in the directory that begins with foo

The inputs.conf file looks like this

[monitor://tom/*.*]
sourcetype = userTom
disable = 0
blacklist = .*\/\..*|foo*

and so on

[monitor://sue/*.*]
sourcetype = userSue
disable = 0
blacklist = .*\/\..*|foo*

This does not seem to work.

I have also look been looking into the filtering of information with inputs.conf. But cannot find an example that describes how to set this up.

[filter:<filtertype>:<filtername>]
* Define a filter of type <filtertype> and name it <filtername>.
* <filtertype>:
  * Filter types are either 'blacklist' or 'whitelist.' 
  * A whitelist filter processes all file names that match the regex list.
  * A blacklist filter skips all file names that match the regex list.
* <filtername>
  * The filter name is used in the comma-separated list when defining a file system monitor.

Any help would be great

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎04-04-2012 05:40 AM

Should be like this:

[monitor:///tom]
sourcetype = userTom
disable = 0
blacklist = foo.*

First, the monitor stanzas are URL-like - monitor:// plus the path. Your example had only the two slashes, which would have probably put it relative to $SPLUNK_HOME. And I don't think $SPLUNK_HOME/tom was what you wanted to monitor.

Second, you aren't required to put a filespec in the monitor:// stanza - the *.* is not necessary. If you do put a filespec, however, you shouldn't expect whitelist or blacklist to work. (Internally, Splunk uses whitelist and blacklist to implement the wildcard specification you give)

Third, these are regexes, not globbing-style wildcard expansions. foo* means "f, followed by o, followed by zero or more o" -- so "foo" will match, and so will "fo", and "foooooooooooooooooooo". To make the glob-syle pattern foo* you need to make your regex foo.*. To make the glob-style pattern foo.* you need to make your regex foo\..*

Finally, the filter stanzas in inputs.conf are not used for monitor:// stanzas, but for fschange stanzas. So, you wouldn't use those unless you were setting up fschange.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...