Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with blacklisting service name in inputs.conf file

fresned
Path Finder
‎04-02-2012 11:26 AM

I have 6 directories that I'm indexing from

/tom/
/linda/
/joe/
/time/
/jil/
/sue/

Each of the directories has a number of files in them I'm trying to black list anything in the directory that begins with foo

The inputs.conf file looks like this

[monitor://tom/*.*]
sourcetype = userTom
disable = 0
blacklist = .*\/\..*|foo*

and so on

[monitor://sue/*.*]
sourcetype = userSue
disable = 0
blacklist = .*\/\..*|foo*

This does not seem to work.

I have also look been looking into the filtering of information with inputs.conf. But cannot find an example that describes how to set this up.

[filter:<filtertype>:<filtername>]
* Define a filter of type <filtertype> and name it <filtername>.
* <filtertype>:
  * Filter types are either 'blacklist' or 'whitelist.' 
  * A whitelist filter processes all file names that match the regex list.
  * A blacklist filter skips all file names that match the regex list.
* <filtername>
  * The filter name is used in the comma-separated list when defining a file system monitor.

Any help would be great

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎04-04-2012 05:40 AM

Should be like this:

[monitor:///tom]
sourcetype = userTom
disable = 0
blacklist = foo.*

First, the monitor stanzas are URL-like - monitor:// plus the path. Your example had only the two slashes, which would have probably put it relative to $SPLUNK_HOME. And I don't think $SPLUNK_HOME/tom was what you wanted to monitor.

Second, you aren't required to put a filespec in the monitor:// stanza - the *.* is not necessary. If you do put a filespec, however, you shouldn't expect whitelist or blacklist to work. (Internally, Splunk uses whitelist and blacklist to implement the wildcard specification you give)

Third, these are regexes, not globbing-style wildcard expansions. foo* means "f, followed by o, followed by zero or more o" -- so "foo" will match, and so will "fo", and "foooooooooooooooooooo". To make the glob-syle pattern foo* you need to make your regex foo.*. To make the glob-style pattern foo.* you need to make your regex foo\..*

Finally, the filter stanzas in inputs.conf are not used for monitor:// stanzas, but for fschange stanzas. So, you wouldn't use those unless you were setting up fschange.

Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...