Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

On a syslog light fowarder, how to ignore certain junk folders

Pierceyuk
Path Finder
‎03-06-2014 02:41 AM

So I have a syslog fowarder with splunk light fowarder installed.
I have a /var/syslog/* monitor statement, and also some custom ones where needed /var/syslog/servername1/* index=test etc...

I have noticed that some users send in some real crappy data(example %hostgoeshere+timestamp) Without removing my catch all monitor statement and having a never ending task of adding new hosts.
Is there a way with the monitor statement to send this data to the null queue?
Something like

[monitor:///var/syslog/%hostgoeshere*/*.log]
index=null

Don't see the notes anyway without having to use transforms etc... but I think this must be easier.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-06-2014 02:55 AM

Have you considered setting the blacklist attribute as per http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/inputsconf?

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-06-2014 02:55 AM

Have you considered setting the blacklist attribute as per http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/inputsconf?

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-06-2014 03:12 AM

Yup, a file will be ignored if its path matches the regex specified in a blacklist attribute. There's more info here: http://docs.splunk.com/Documentation/Splunk/6.0.2/Data/Whitelistorblacklistspecificincomingdata

Reply
Solved! Jump to solution

Pierceyuk
Path Finder
‎03-06-2014 03:07 AM

Interesting so adding something like blacklist = %hostgoeshere. would filter out all this junk?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...