Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- remove specific folder from input
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have configured syslog-ng to listen on multiple ports, save them in a folder with IP name and hf to send logs to indexers,
In one case i have 127.0.0.1 sending as loopback to syslog-ng server, now i want to remove this IP from my input configs.
let suppose I have below folder
/opt/syslog/Fortigate
under fortigate I have mutiple fortigates sending logs and i dont know in future we can add a new fortigate here 1 hot is 127.0.0.1, i want to remove this from my inputs, what should I do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Nawab
Modify the inputs.conf file on your Splunk forwarder to add a blacklist entry for the specific directory you want to exclude.
Locate the stanza for your directory input, e.g. [monitor:///opt/syslog/Fortigate], and add the blacklist line.
[monitor:///opt/syslog/Fortigate] disabled = false # ... other settings like index, sourcetype ... blacklist = /opt/syslog/Fortigate/127\.0\.0\.1/.*
This configuration tells Splunk to monitor the /opt/syslog/Fortigate directory but ignore any files or subdirectories within the /opt/syslog/Fortigate/127.0.0.1 path. The \. escapes the dots in the IP address, and /.* ensures that everything within that specific directory is excluded.
After saving the changes to inputs.conf, you must restart the Splunk forwarder for the changes to take effect.
Check out the following inputs.conf docs on blacklist of files: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#:~:text=way.%0A*%20No%20default...
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just pasted blacklist 127.0.0.1, and when I ran list monitor all 127.0.0.1 is remove, is it correct or should i used your method
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Nawab
That should work too, its using a regex to match so 127.0.0.1 I guess will also match 🙂
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Nawab
Modify the inputs.conf file on your Splunk forwarder to add a blacklist entry for the specific directory you want to exclude.
Locate the stanza for your directory input, e.g. [monitor:///opt/syslog/Fortigate], and add the blacklist line.
[monitor:///opt/syslog/Fortigate] disabled = false # ... other settings like index, sourcetype ... blacklist = /opt/syslog/Fortigate/127\.0\.0\.1/.*
This configuration tells Splunk to monitor the /opt/syslog/Fortigate directory but ignore any files or subdirectories within the /opt/syslog/Fortigate/127.0.0.1 path. The \. escapes the dots in the IP address, and /.* ensures that everything within that specific directory is excluded.
After saving the changes to inputs.conf, you must restart the Splunk forwarder for the changes to take effect.
Check out the following inputs.conf docs on blacklist of files: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#:~:text=way.%0A*%20No%20default...
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
Splunk Community Badges!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
