Why do blacklisted logs index to main?

mdinkins · ‎11-20-2015

I have a group of hosts that use the blacklist function in a monitor stanza in inputs.conf. Here is the referenced stanza:

[monitor:///usr/Interwoven/LiveSiteDisplayServices/runtime/tomcat/logs/*.log]
sourcetype = log4j
source = sfo-lsds-log
index = tnt13
blacklist = (http-client\.log$|globalsession\.log$|snapfish\.log$|livesite-runtime\.log$|catalina\.out$)

All of the logs in the blacklist do NOT get indexed to the referenced index (tnt13) in the stanza, but do get indexed to Main.

I have also tried the following, but the issue of events indexing to main persists:

[monitor:///usr/Interwoven/LiveSiteDisplayServices/runtime/tomcat/logs/]
sourcetype = log4j
source = sfo-lsds-log
index = tnt13
blacklist = http-client\.log$|globalsession\.log$|snapfish\.log$|livesite-runtime\.log$|catalina\.out$

Also of note, the source defined in the stanza does not appear to apply to the events as indexed in tnt13 or main.

Richfez · ‎11-21-2015

I'd guess that you have another monitor stanza somewhere that's doing this.

Please run $splunkhome/bin/splunk cmd btool inputs list and look through those results. If nothing pops out there, please run $splunkhome/bin/splunk cmd btool inputs list > myfile.txt and then edit/read the resulting file and look through it.

Why do blacklisted logs index to main?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?