I am trying to blacklist the following in the inputs.conf
Currently I have this:
[monitor:///var/log] disabled = false blacklist = /manager/tomatod* index = os
I have tried to blacklist all content that in the manager directory containing "tomatod" from ingesting.
So far I have had no luck. The inputs.conf file is put into a deployment-app. Not sure what I am doing wrong. Please advise..
disabled = false
blacklist = \/home\/splunk\/anotherdir\/
sourcetype = sbblacklist
and files within /home/splunk/anotherdir/
were excluded okay
Turning DEBUG on for log channel TailingProcessor also confirmed match blacklist
DEBUG TailingProcessor - Not using stanza for this item (Matched blacklist '\/home\/splunk\/anotherdir\/'.).
Aside from escaping the forward slashes, you may also need to indicate any characters before and after your specified text:
[monitor:///var/log] disabled = false blacklist = \/manager\/.*tomatod.* index = os
Hope it works. Thanks!
I want to blacklist everything that contains prefix "tomatod"