Solved: how to exclude indexing files starts with dot (.) ...

dhavamanis · ‎09-02-2014

Can you please tell us, how to exclude files for indexing starts with dot (.) and ending with .swp.

currently we are using the command like below

./splunk add monitor /var/log/ -index abc sourcetype xyz

kristian_kolb · ‎09-02-2014

locate the monitor stanza in inputs.conf (there can/will be more than one inputs.conf file), and make it like so;

[monitor:///var/log/]
index=abc
sourcetype=xyz
blacklist = /\.[^\\/]+\.swp$

/K

View solution in original post

kristian_kolb · ‎09-02-2014

locate the monitor stanza in inputs.conf (there can/will be more than one inputs.conf file), and make it like so;

[monitor:///var/log/]
index=abc
sourcetype=xyz
blacklist = /\.[^\\/]+\.swp$

/K

dhavamanis · ‎09-22-2014

Can you please tell me how to avoid any filename starts with dot (.)? some the temp files also getting indexed with machine language format to avoid i want exclude those pattern as well.

how to exclude indexing files starts with dot (.) and ending with .swp?

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

What's New in Splunk Observability - October 2025

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Are you a member of the Splunk Community?

how to exclude indexing files starts with dot (.) and ending with .swp?

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

What's New in Splunk Observability - October 2025

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...