Knowledge Management

What are some of the best practices to exclude sources using inputs.conf?

JarrettM
Path Finder

Collecting logs from forwarders excluding certain subfolders. Current inputs.conf is :

[monitor://e:\Application\Logs
disabled=false
index=logs
sourcetype=logs
whitelist=\.log$
[monitor://e:\Application\Logs
source="e:\Application\Logs\*\archive\*"
disabled=true
index=logs
sourcetype=logs
whitelist=\.log$

This seems to work but seems awkward. Is there a better way?

Thanks!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You can use blacklist to exclude monitoring of archive directory, like this

[monitor://e:\Application\Logs]
disabled=false
index=logs
sourcetype=logs
whitelist=.log$
blacklist=archive|any_other_dir_name_here

See this for more information: http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Whitelistorblacklistspecificincomingdata

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can use blacklist to exclude monitoring of archive directory, like this

[monitor://e:\Application\Logs]
disabled=false
index=logs
sourcetype=logs
whitelist=.log$
blacklist=archive|any_other_dir_name_here

See this for more information: http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Whitelistorblacklistspecificincomingdata

0 Karma

JarrettM
Path Finder

I'll try it out. Thanks!

0 Karma

JarrettM
Path Finder

The blacklist is working but I just noticed when I restarted Splunk on a forwarder for a different reason I got this error:

E:\SplunkUniversalForwarder\bin>splunk restart
SplunkForwarder: Stopped

Splunk> CSI: Logfiles.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Bad regex value: 'Archive|TargetedLogging|IIS|.\log$',
of param: inputs.conf / [monitor://e:\Application\Logs] / blacklist; why: PCRE does not support \L, \l, \N{name}, \U, or \u
One or more regexes in your configuration are not valid. For details, please see btool.log or directly above.

My inputs.conf reads

[monitor://e:\Application\Logs
disabled=false
index=logs
sourcetype=logs
whitelist=.log$
blacklist=Archive|TargetedLogging|IIS|.\log$

Is the blacklist line formatted incorrectly?

Thanks

0 Karma

493669
Super Champion

Hi @JarrettM,
As one of the options you can define Blacklist in your inputs.conf to exclude the folder

[monitor://e:\Application\Logs]
     blacklist = e:\Application\Logs*\archive*

For information on Blacklisting refer documentation: https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Bl...

0 Karma

JarrettM
Path Finder

Thanks!

Sorry I can't "Accept" your answer. You got beat out by one minute!

0 Karma

493669
Super Champion

I think I was ahead by 1min but its fine....:)thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...