Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

whitelist directories inputs.conf

nmohammed
Contributor
‎08-06-2018 12:57 PM

We've ~1000 directories in path and we want to monitor only a few selected directories. I tried to use the whitelist, voiding multiple monitoring stanzas. But it doesn't seem to work. I have verified this by running ./splunk list monitor on the forwarder. Here BX187898, BX676909 are directories in /enc_logs-ep3/bker and have log files in those directories.

Need assistance with the whitelist directories. I have tried with two directories, but I will have a few more added.

[monitor:///enc_logs-ep3/bker]
disabled = false
index = enc_logs
whitelist = (BX187898|BX676909)
host_regex = \S+(EP.*).\d{4}
sourcetype = enc
ignoreOlderThan = 3d

Thanks

0 Karma
Reply

deepashri_123
Motivator
‎08-07-2018 02:43 AM

You can refer this link:
https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Whitelistorblacklistspecificincomingdata

Can you cross check your regex?
Let me know if this helps!!

0 Karma
Reply

somesoni2
Revered Legend
‎08-06-2018 02:14 PM

Can you give some sample full path of files that you want to monitor and some that you don't?

0 Karma
Reply

nmohammed
Contributor
‎08-06-2018 02:20 PM

Thanks @somesoni2

here's a sample path path -

/enc_logs-en3/bker/BX187898/EncServer. BX187898.ENC5VEABE100934.2018-08-06-14.log

0 Karma
Reply
Get Updates on the Splunk Community!