Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- remove specific folder from input
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nawab
Communicator
05-29-2025
05:46 AM
I have configured syslog-ng to listen on multiple ports, save them in a folder with IP name and hf to send logs to indexers,
In one case i have 127.0.0.1 sending as loopback to syslog-ng server, now i want to remove this IP from my input configs.
let suppose I have below folder
/opt/syslog/Fortigate
under fortigate I have mutiple fortigates sending logs and i dont know in future we can add a new fortigate here 1 hot is 127.0.0.1, i want to remove this from my inputs, what should I do.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
livehybrid
Super Champion
05-29-2025
05:49 AM
Hi @Nawab
Modify the inputs.conf file on your Splunk forwarder to add a blacklist entry for the specific directory you want to exclude.
Locate the stanza for your directory input, e.g. [monitor:///opt/syslog/Fortigate], and add the blacklist line.
[monitor:///opt/syslog/Fortigate] disabled = false # ... other settings like index, sourcetype ... blacklist = /opt/syslog/Fortigate/127\.0\.0\.1/.*
This configuration tells Splunk to monitor the /opt/syslog/Fortigate directory but ignore any files or subdirectories within the /opt/syslog/Fortigate/127.0.0.1 path. The \. escapes the dots in the IP address, and /.* ensures that everything within that specific directory is excluded.
After saving the changes to inputs.conf, you must restart the Splunk forwarder for the changes to take effect.
Check out the following inputs.conf docs on blacklist of files: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#:~:text=way.%0A*%20No%20default...
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nawab
Communicator
05-29-2025
05:55 AM
I just pasted blacklist 127.0.0.1, and when I ran list monitor all 127.0.0.1 is remove, is it correct or should i used your method
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
livehybrid
Super Champion
05-29-2025
05:59 AM
Hi @Nawab
That should work too, its using a regex to match so 127.0.0.1 I guess will also match 🙂
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
livehybrid
Super Champion
05-29-2025
05:49 AM
Hi @Nawab
Modify the inputs.conf file on your Splunk forwarder to add a blacklist entry for the specific directory you want to exclude.
Locate the stanza for your directory input, e.g. [monitor:///opt/syslog/Fortigate], and add the blacklist line.
[monitor:///opt/syslog/Fortigate] disabled = false # ... other settings like index, sourcetype ... blacklist = /opt/syslog/Fortigate/127\.0\.0\.1/.*
This configuration tells Splunk to monitor the /opt/syslog/Fortigate directory but ignore any files or subdirectories within the /opt/syslog/Fortigate/127.0.0.1 path. The \. escapes the dots in the IP address, and /.* ensures that everything within that specific directory is excluded.
After saving the changes to inputs.conf, you must restart the Splunk forwarder for the changes to take effect.
Check out the following inputs.conf docs on blacklist of files: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#:~:text=way.%0A*%20No%20default...
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
Get Updates on the Splunk Community!
AppDynamics Summer Webinars
This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...
SOCin’ it to you at Splunk University
Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...
Credit Card Data Protection & PCI Compliance with Splunk Edge Processor
Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
