Hi,
Since I cannot find a way to test this with a large amount of data, I was wondering what will happen if I want to blacklist text files in a folder, but whitelist text files in a subfolder? Example for my input stanza's:
[monitor:///abc/testfolder1/subfolder2]
whitelist = \.txt$
index = index1
sourcetype = sourcetype1
[monitor:///abc/testfolder1]
blacklist = \.txt$
index = index1
sourcetype = sourcetype2
I saw the answers at https://answers.splunk.com/answers/48302/whitelist-blacklist-multiple-files-in-same-directory.html?u...
But that didn't help me much.
Questions:
1) How will Splunk deal with the txt files in the subfolder (from a theoretical point of view)? Index them or not?
2) Does the sequence in inputs.conf matter? First whitelist in a stanza, then blacklist in the next stanza
3) Any other suggestions how I can fix this?
Thanks
You could always do it like this:
https://answers.splunk.com/answers/268433/data-input-path-name-is-the-same.html
I'd try adding recursive = false
to your second stanza.
Thanks for your reply. The thing is, the main folder should monitor its subfolders with sourcetype1. Just not any txt files, so also not from the "/subfolder". But I'm afraid in some cases Splunk will start with blacklisting txt files from that subfolder so it cannot index the txt files in the subfolder with sourcetype2