Getting Data In

add blacklist to previous deploy-app

ttovarzoll
Path Finder

I am using the standard 'Splunk_TA_nix' deploy-app on all of my Linux agents. Now, we are starting to deploy Cortex XDR and the local /var/log/traps/traps.pmd log is extremely verbose and unnecessary to collect in Splunk; it's already being collected by the Cortex XDR console.

How do I blacklist that one log-file without editing the original deploy-app?

I have tried creating an additional deploy-app which specifies that folder, then blacklists that file, but it doesn't work. Maybe I have a typo (see below) but my suspicion is that there's a precedence issue, i.e., I can't modify the input stanza from the first deploy-app?

MY NEW DEPLOY-APP's INPUT.CONF

 

[monitor:///var/log/traps/]
blacklist = traps.pmd
recursive=false
disabled = false
index = os
sourcetype = syslog

 

 

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...