Solved: how to exclude indexing files starts with dot (.) ...

dhavamanis · ‎09-02-2014

Can you please tell us, how to exclude files for indexing starts with dot (.) and ending with .swp.

currently we are using the command like below

./splunk add monitor /var/log/ -index abc sourcetype xyz

kristian_kolb · ‎09-02-2014

locate the monitor stanza in inputs.conf (there can/will be more than one inputs.conf file), and make it like so;

[monitor:///var/log/]
index=abc
sourcetype=xyz
blacklist = /\.[^\\/]+\.swp$

/K

View solution in original post

kristian_kolb · ‎09-02-2014

locate the monitor stanza in inputs.conf (there can/will be more than one inputs.conf file), and make it like so;

[monitor:///var/log/]
index=abc
sourcetype=xyz
blacklist = /\.[^\\/]+\.swp$

/K

dhavamanis · ‎09-22-2014

Can you please tell me how to avoid any filename starts with dot (.)? some the temp files also getting indexed with machine language format to avoid i want exclude those pattern as well.

how to exclude indexing files starts with dot (.) and ending with .swp?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)