Monitoring Splunk

Stop Splunk To Read files

Prakash493
Communicator

Hi , currently i need splunk to stop reading the log files from below source location , i updated disabled=true to stop splunk to read files but it still reading and added the blacklist stanza too but nothing works , splunk is still reading and indexing files , Please tell me how can i stop splunk to read the below entire source path ?

[monitor://C:\UCX\dotnet\UCXWinPortal\logs...\Pinnacle_AX_*.log]
disabled = true
recursive = false
index = xxxxx
sourcetype = xxxxx
blacklist = .(log)$

Tags (1)
0 Karma

wenthold
Communicator

Use btool to list out your current configuration. for whatever platform you're on go to the command line into the $SPLUNK_HOME folder and run:

bin/splunk btool inputs list 'monitor://C:\UCX\dotnet\UCXWinPortal\logs...\Pinnacle_AX_*.log' --debug

That command is for linux - for windows I believe it would be bin\splunk.exe btool ...

If you don't get any results, drop the configuration stanza and just run "splunk btool inputs list --debug | more" and find your configuration. It should tell you what Splunk sees as the combined configuration, and the configuration file source it's using for each item.

Use btool to troubleshoot configurations

0 Karma

Prakash493
Communicator

it worked now actually i made a mistake on my blacklist regex syntax: i added blacklist = /.(log)$ , and it worked , Thanks

0 Karma

493669
Super Champion

Hi @Prakash493,
Try below in inputs.conf-

[monitor://C:\UCX\dotnet\UCXWinPortal\logs...\Pinnacle_AX_*.log]
disabled = 1

Also You can disable from UI
go to the Web UI -> Settings - Data Inputs -> Files and Directories -> Disable particular input

0 Karma

Prakash493
Communicator

tried with it , didnt worked , i am in indexer cluster and search head cluster environment , where i can disable through deployment server ?

0 Karma

493669
Super Champion

Where are your stanza is written? is it indexer or heavy forwarder or universal forwarder?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...