Getting Data In

inputs.conf monitor question


Hi Community,

I have a inputs.conf monitor that looks like this


The above monitor will cover these paths to the app.log files
And many, many more...

I have a file that I want to sourcetype as access_combined (not eng:custom).
This path falls within the scope of the above monitored stanza.

What is the best way to accomplish this? Do I use a blacklist in the .../app.log eng:custom monitor and then create another monitor stanza for the web01/app.log access_combined that immediately follows this?

Thank you

Labels (2)
0 Karma


Yes, thats correct.

0 Karma


Hi @hank72 

Yes, you are correct, you can mention blacklist = /var/log/logfiles/scapes/web01/app.log 

and Create new moniotring stanza , that should work 

Sanjay Reddy 

Sanjay Reddy

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...