Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

forwarder inputs.conf to watch multiple paths

cthacker
Explorer
‎08-29-2013 03:07 PM

I've tried a bunch of different things on my Forwarder to get it to watch 2 different paths, and blacklist one folder within the second path, and nothing is working. What is the recommended solution for getting the forwarder to watch these two paths:

/var/log
/Library/Logs

and blacklist /Library/Logs/CrashPlan?

my current inputs.conf contains this.

[default]
host = one.example.com
[monitor:///var/log]

I've read the documentation and tried regex a handful of different ways but can't get it to work. I'm using the latest release.

I'm making a change, then restarting the forwarder, then running this to confirm if it's working or not:
/Applications/splunkforwarder/bin/splunk list monitor

Thanks!

Tags (2)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-29-2013 03:43 PM

You could also make use of the 'recurse' attribute - see;

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

[default]
host = one.example.com

[monitor:///var/log]
sourcetype=xxx

[monitor:///Library/Logs]
sourcetype=yyy
recurse = false

/K

0 Karma
Reply

cthacker
Explorer
‎08-29-2013 03:47 PM

thanks for your response. that's good to know... in this case though there are other directories within /Library/Logs/* that I do want it to use.

0 Karma
Reply

cthacker
Explorer
‎08-29-2013 03:17 PM

This seems to have worked.

[default]
host = one.example.com

[monitor:///var/log]

[monitor:///Library/Logs]
blacklist = CrashPlan*

I think I had

blacklist=*CrashPlan*

before and that didn't work.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...