Getting Data In

Why am I unable to blacklist all content in a certain directory with my current inputs.conf?

anaqvi
Explorer

I am trying to blacklist the following in the inputs.conf

Currently I have this:

[monitor:///var/log]
disabled = false
blacklist = /manager/tomatod*
index = os

I have tried to blacklist all content that in the manager directory containing "tomatod" from ingesting.

So far I have had no luck. The inputs.conf file is put into a deployment-app. Not sure what I am doing wrong. Please advise..

0 Karma

jbarlow_splunk
Splunk Employee
Splunk Employee

[monitor:///home/splunk]
disabled = false
blacklist = \/home\/splunk\/anotherdir\/
sourcetype = sbblacklist

and files within /home/splunk/anotherdir/
were excluded okay

Turning DEBUG on for log channel TailingProcessor also confirmed match blacklist
DEBUG TailingProcessor - Not using stanza for this item (Matched blacklist '\/home\/splunk\/anotherdir\/'.).

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi anaqvi,

Aside from escaping the forward slashes, you may also need to indicate any characters before and after your specified text:

 [monitor:///var/log]
 disabled = false
 blacklist = \/manager\/.*tomatod.*
 index = os

Hope it works. Thanks!
Hunter

0 Karma

anaqvi
Explorer

Any other recommendations in resolving this issue?

0 Karma

anaqvi
Explorer

I tried that but still no luck 😞

0 Karma

somesoni2
Revered Legend

Blacklist uses regex and you would need to escape those forward slashes. Try this

[monitor:///var/log]
disabled = false
blacklist = \/manager\/tomatod.*
index = os
0 Karma

anaqvi
Explorer

That did not work. It is still generating events. :(...any other suggestion?

0 Karma

somesoni2
Revered Legend

The blacklist works on the file name (not the file content), so could you provide the full path of the file that you want to exclude?

0 Karma

anaqvi
Explorer

I want to blacklist everything that contains prefix "tomatod"

/var/log/manager/tomatod.log

/var/log/manager/tomatod_portfolios.log
/var/log/manager/tomatod_portfolios_preview.log
/var/log/manager/tomatod_preview.log

/var/log/manager/tomatod_tickers.log

/var/log/manager/tomatod_tickers_preview.log

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...