Getting Data In
Highlighted

Why do blacklisted logs index to main?

Engager

I have a group of hosts that use the blacklist function in a monitor stanza in inputs.conf. Here is the referenced stanza:

[monitor:///usr/Interwoven/LiveSiteDisplayServices/runtime/tomcat/logs/*.log]
sourcetype = log4j
source = sfo-lsds-log
index = tnt13
blacklist = (http-client\.log$|globalsession\.log$|snapfish\.log$|livesite-runtime\.log$|catalina\.out$)

All of the logs in the blacklist do NOT get indexed to the referenced index (tnt13) in the stanza, but do get indexed to Main.

I have also tried the following, but the issue of events indexing to main persists:

[monitor:///usr/Interwoven/LiveSiteDisplayServices/runtime/tomcat/logs/]
sourcetype = log4j
source = sfo-lsds-log
index = tnt13
blacklist = http-client\.log$|globalsession\.log$|snapfish\.log$|livesite-runtime\.log$|catalina\.out$

Also of note, the source defined in the stanza does not appear to apply to the events as indexed in tnt13 or main.

0 Karma
Highlighted

Re: Why do blacklisted logs index to main?

SplunkTrust
SplunkTrust

I'd guess that you have another monitor stanza somewhere that's doing this.

Please run $splunkhome/bin/splunk cmd btool inputs list and look through those results. If nothing pops out there, please run $splunkhome/bin/splunk cmd btool inputs list > myfile.txt and then edit/read the resulting file and look through it.

0 Karma