Monitoring Splunk

how to blacklist the file which is being monitored in two different stanza for the same log


Can any one help how to blacklist a file , the file is monitored and linked in two stanzas

Tags (1)
0 Karma

Super Champion

can you please update us your inputs.conf..

Blacklist (ignore) files
To define the files you want to exclude from indexing, add the following line to your monitor stanza in the /local/inputs.conf file for the app this input was defined in:

blacklist = <your_custom_regex>

If you create a blacklist line for each file you want to ignore, Splunk software activates only the last filter.

To ignore and not monitor only files with the .txt extension:

    blacklist = \.txt$

To ignore and not monitor all files with either the .txt extension OR the .gz extension (note that you use the "|" for this):

    blacklist = \.(?:txt|gz)$

To ignore entire directories beneath a monitor input refer to this example:

    blacklist = archive|historical|\.bak$

This example tells Splunk software to ignore all files under /mnt/logs/ within the archive or historical directories and all files ending in *.bak.

To ignore files whose names contain a specific string, you can do:

   blacklist = 2009022[89]file\.txt$

This example ignores the webserver20090228file.txt and webserver20090229file.txt files under /mnt/logs/.

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...