Getting Data In

Proper way to blacklist .gz files in inputs.conf?

aferone
Builder

According to the documentation, it is this:

[monitor:///mnt/logs]
blacklist = .gz$

However, I've tried this and the many variations found in this knowledge base, and NONE of them are working!

Please help?

Tags (2)
0 Karma

koshyk
Super Champion

Please have a try

[monitor:///mnt/logs]
sourcetype=someSourcetype
index = myindex
blacklist = \.gz$

lguinn2
Legend

This example assumes that your gzip files all end with "gz" - lower case. How are your gzip files named?

0 Karma

aferone
Builder

That's precisely how they are named. It seems like it is now working? It looked like Splunk was finishing the file it had started and I couldn't stop it, even after a restart of the service.

0 Karma