Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- What are some of the best practices to exclude sou...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Collecting logs from forwarders excluding certain subfolders. Current inputs.conf is :
[monitor://e:\Application\Logs
disabled=false
index=logs
sourcetype=logs
whitelist=\.log$
[monitor://e:\Application\Logs
source="e:\Application\Logs\*\archive\*"
disabled=true
index=logs
sourcetype=logs
whitelist=\.log$
This seems to work but seems awkward. Is there a better way?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use blacklist to exclude monitoring of archive directory, like this
[monitor://e:\Application\Logs]
disabled=false
index=logs
sourcetype=logs
whitelist=.log$
blacklist=archive|any_other_dir_name_here
See this for more information: http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Whitelistorblacklistspecificincomingdata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use blacklist to exclude monitoring of archive directory, like this
[monitor://e:\Application\Logs]
disabled=false
index=logs
sourcetype=logs
whitelist=.log$
blacklist=archive|any_other_dir_name_here
See this for more information: http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Whitelistorblacklistspecificincomingdata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll try it out. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The blacklist is working but I just noticed when I restarted Splunk on a forwarder for a different reason I got this error:
E:\SplunkUniversalForwarder\bin>splunk restart
SplunkForwarder: Stopped
Splunk> CSI: Logfiles.
Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Bad regex value: 'Archive|TargetedLogging|IIS|.\log$',
of param: inputs.conf / [monitor://e:\Application\Logs] / blacklist; why: PCRE does not support \L, \l, \N{name}, \U, or \u
One or more regexes in your configuration are not valid. For details, please see btool.log or directly above.
My inputs.conf reads
[monitor://e:\Application\Logs
disabled=false
index=logs
sourcetype=logs
whitelist=.log$
blacklist=Archive|TargetedLogging|IIS|.\log$
Is the blacklist line formatted incorrectly?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @JarrettM,
As one of the options you can define Blacklist in your inputs.conf to exclude the folder
[monitor://e:\Application\Logs]
blacklist = e:\Application\Logs*\archive*
For information on Blacklisting refer documentation: https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Bl...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!
Sorry I can't "Accept" your answer. You got beat out by one minute!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I was ahead by 1min but its fine....:)thanks
Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco
Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data
Your summer travels continue with new course releases
