Getting Data In

inputs.conf monitor question


Hi Community,

I have a inputs.conf monitor that looks like this


The above monitor will cover these paths to the app.log files
And many, many more...

I have a file that I want to sourcetype as access_combined (not eng:custom).
This path falls within the scope of the above monitored stanza.

What is the best way to accomplish this? Do I use a blacklist in the .../app.log eng:custom monitor and then create another monitor stanza for the web01/app.log access_combined that immediately follows this?

Thank you

Labels (2)
0 Karma


Yes, thats correct.

0 Karma


Hi @hank72 

Yes, you are correct, you can mention blacklist = /var/log/logfiles/scapes/web01/app.log 

and Create new moniotring stanza , that should work 

Sanjay Reddy 

Sanjay Reddy

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...