- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Stop Splunk To Read files
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stop Splunk To Read files
Hi , currently i need splunk to stop reading the log files from below source location , i updated disabled=true to stop splunk to read files but it still reading and added the blacklist stanza too but nothing works , splunk is still reading and indexing files , Please tell me how can i stop splunk to read the below entire source path ?
[monitor://C:\UCX\dotnet\UCXWinPortal\logs...\Pinnacle_AX_*.log]
disabled = true
recursive = false
index = xxxxx
sourcetype = xxxxx
blacklist = .(log)$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use btool to list out your current configuration. for whatever platform you're on go to the command line into the $SPLUNK_HOME folder and run:
bin/splunk btool inputs list 'monitor://C:\UCX\dotnet\UCXWinPortal\logs...\Pinnacle_AX_*.log' --debug
That command is for linux - for windows I believe it would be bin\splunk.exe btool ...
If you don't get any results, drop the configuration stanza and just run "splunk btool inputs list --debug | more" and find your configuration. It should tell you what Splunk sees as the combined configuration, and the configuration file source it's using for each item.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it worked now actually i made a mistake on my blacklist regex syntax: i added blacklist = /.(log)$ , and it worked , Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Prakash493,
Try below in inputs.conf-
[monitor://C:\UCX\dotnet\UCXWinPortal\logs...\Pinnacle_AX_*.log]
disabled = 1
Also You can disable from UI
go to the Web UI -> Settings - Data Inputs -> Files and Directories -> Disable particular input
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tried with it , didnt worked , i am in indexer cluster and search head cluster environment , where i can disable through deployment server ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where are your stanza is written? is it indexer or heavy forwarder or universal forwarder?
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
