Knowledge Management
Highlighted

What are some of the best practices to exclude sources using inputs.conf?

Path Finder

Collecting logs from forwarders excluding certain subfolders. Current inputs.conf is :

[monitor://e:\Application\Logs
disabled=false
index=logs
sourcetype=logs
whitelist=\.log$
[monitor://e:\Application\Logs
source="e:\Application\Logs\*\archive\*"
disabled=true
index=logs
sourcetype=logs
whitelist=\.log$

This seems to work but seems awkward. Is there a better way?

Thanks!

0 Karma
Highlighted

Re: What are some of the best practices to exclude sources using inputs.conf?

Super Champion

Hi @JarrettM,
As one of the options you can define Blacklist in your inputs.conf to exclude the folder

[monitor://e:\Application\Logs]
     blacklist = e:\Application\Logs*\archive*

For information on Blacklisting refer documentation: https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Bl...

0 Karma
Highlighted

Re: What are some of the best practices to exclude sources using inputs.conf?

Path Finder

Thanks!

Sorry I can't "Accept" your answer. You got beat out by one minute!

0 Karma
Highlighted

Re: What are some of the best practices to exclude sources using inputs.conf?

Super Champion

I think I was ahead by 1min but its fine....:)thanks

0 Karma
Highlighted

Re: What are some of the best practices to exclude sources using inputs.conf?

SplunkTrust
SplunkTrust

You can use blacklist to exclude monitoring of archive directory, like this

[monitor://e:\Application\Logs]
disabled=false
index=logs
sourcetype=logs
whitelist=.log$
blacklist=archive|any_other_dir_name_here

See this for more information: http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Whitelistorblacklistspecificincomingdata

View solution in original post

0 Karma
Highlighted

Re: What are some of the best practices to exclude sources using inputs.conf?

Path Finder

I'll try it out. Thanks!

0 Karma
Highlighted

Re: What are some of the best practices to exclude sources using inputs.conf?

Path Finder

The blacklist is working but I just noticed when I restarted Splunk on a forwarder for a different reason I got this error:

E:\SplunkUniversalForwarder\bin>splunk restart
SplunkForwarder: Stopped

Splunk> CSI: Logfiles.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Bad regex value: 'Archive|TargetedLogging|IIS|.\log$',
of param: inputs.conf / [monitor://e:\Application\Logs] / blacklist; why: PCRE does not support \L, \l, \N{name}, \U, or \u
One or more regexes in your configuration are not valid. For details, please see btool.log or directly above.

My inputs.conf reads

[monitor://e:\Application\Logs
disabled=false
index=logs
sourcetype=logs
whitelist=.log$
blacklist=Archive|TargetedLogging|IIS|.\log$

Is the blacklist line formatted incorrectly?

Thanks

0 Karma