Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trouble with global deny list in inputs.conf

JyPl4wNYu7GV1uL
Explorer
‎09-22-2025 09:37 AM

I've reviewed this issue: https://community.splunk.com/t5/Getting-Data-In/Can-I-edit-inputs-conf-to-initiate-a-global-blacklis...

And this page: https://docs.splunk.com/Documentation/Splunk/9.4.2/Data/Specifyinputpathswithwildcards

But I'm still having issues with a global deny list (eliminating any files with "*abcdef*" in the path) working.  It works fine when I put it in the [monitor] stanza but not globally when it's in the [default] stanza.  Syntax I've tried:

[default]
[blacklist:/var/.../*abcdef*/*]
[default]
[blacklist:///var/.../*abcdef*/*]
[default]
[blacklist:.*abcdef.*]

That last one I expected not to work, but I tried it anyway.  The first one looks correct to me.

This works fine, but I have to put it in many [monitor] stanzas (which seem silly).

[monitor:///var/.../mylog*.log]
blacklist = .*abcdef.*

Basically, I want to skip any files in the "/var" path where ".*abcdef.*" appears in the directory hierarchy. 

In most cases, I just have a "whitelist" and "blacklist" statement in each [monitor] stanza, but I have a case where I want to globally deny all files in a certain path.  I'm more comfortable with the regex syntax in the [monitor] stanza.  The global [blacklist:] syntax is not well documented.  I'm assuming it follows the same janky "sort of " regex rules like for the [monitor] stanza.

This is no help at all:

https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Inputsconf

Because it doesn't well define <path>.

Labels (2)
Labels
0 Karma
Reply

JyPl4wNYu7GV1uL
Explorer
‎09-22-2025 01:05 PM

Hmm, based on that I thought I'd try fully specifying the full path.  Even this does not work:

[blacklist:/var/dir2/dir3/abcdef]

Where the full path is fully specified.  I still get files with that path from my [monitor] stanzas.  Giving up and sticking with the "blacklist = <regex>" in the monitor stanzas.

0 Karma
Reply

koronb_splunk
Splunk Employee
Splunk Employee
‎10-14-2025 11:32 AM

Hello! 😁

Have you tried [blacklist:///var/.*abcdef.*] opposed to [blacklist:/var/dir2/dir3/abcdef]




0 Karma
Reply

JyPl4wNYu7GV1uL
Explorer
‎10-23-2025 11:47 AM

Does not work.  Still getting files in the 

abcdef

directories.

I didn't use that exact syntax cuz I have 1_abcdef, 2_abcdef, and 3_abcdef directories at multiple hierarchies.  So my stanza was:

 [blacklist:///var/test/.../.*abcdef.*]
0 Karma
Reply

JyPl4wNYu7GV1uL
Explorer
‎10-24-2025 12:29 PM

Finally, I was able to get one syntax to work.  This works:

[blacklist:///var/dir1/dir2/dir3/.*abcdef.*]

 As long as you fully specify the full path down to the parent dir of the dir you want to block.  For example, this does not work:

[blacklist:///var/.*abcdef.*]

I do still have a ticket open with splunk since this is so poorly documented and does not seem to follow wildcard rules like [monitor://].   I'd like to get the exact rules for <path> described somewhere.

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a month ago 
[blacklist:<path>]
* Protects files on the file system from being indexed or previewed.
* The input treats a file as denied if the file starts with any of the
  defined deny list <paths>.
* Adding a file to the deny list with the specified path occurs even if a monitor
  stanza defines an allow list that matches the file path.
* The preview endpoint returns an error when asked to preview an
  excluded file.
* The oneshot endpoint and command also returns an error.
* When a denied file is monitored, using monitor:// or batch://,
  the 'filestatus' endpoint shows an error.
* For fschange with the 'sendFullEvent' option enabled, contents of
  denied files are not indexed.

It is explicitly described. The only thing which is not there is if/that it supports wildcard/regex.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-23-2025 06:57 AM

Unfortunately, the knowlegde around these parts of config is relatively sparse. You could test with one or two more slashes. And check your "list monitor" and "list inputstatus" outputs. Maybe they'll shed some light on this.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-22-2025 11:10 AM

1. 

* The input treats a file as denied if the file starts with any of the
  defined deny list <paths>.

Never used the blacklist stanza but that suggests matching from the start and that's it. No fancy regexing or even wildcarding.

2. The [blacklist:...] stanza is _not_ an entry in default stanza. It's a separate stanza. [default] is meant for general settings which make sense in context of any input type. Blacklisting files isn't such setting (try blacklisting files in tcp: input). 

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...