Getting Data In

how to exclude indexing files starts with dot (.) and ending with .swp?

dhavamanis
Builder

Can you please tell us, how to exclude files for indexing starts with dot (.) and ending with .swp.

currently we are using the command like below

./splunk add monitor /var/log/ -index abc sourcetype xyz

1 Solution

kristian_kolb
Ultra Champion

locate the monitor stanza in inputs.conf (there can/will be more than one inputs.conf file), and make it like so;

[monitor:///var/log/]
index=abc
sourcetype=xyz
blacklist = /\.[^\\/]+\.swp$

/K

View solution in original post

kristian_kolb
Ultra Champion

locate the monitor stanza in inputs.conf (there can/will be more than one inputs.conf file), and make it like so;

[monitor:///var/log/]
index=abc
sourcetype=xyz
blacklist = /\.[^\\/]+\.swp$

/K

dhavamanis
Builder

Can you please tell me how to avoid any filename starts with dot (.)? some the temp files also getting indexed with machine language format to avoid i want exclude those pattern as well.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...