Monitoring Splunk

how to blacklist the file which is being monitored in two different stanza for the same log


Can any one help how to blacklist a file , the file is monitored and linked in two stanzas

Tags (1)
0 Karma

Super Champion

can you please update us your inputs.conf..

Blacklist (ignore) files
To define the files you want to exclude from indexing, add the following line to your monitor stanza in the /local/inputs.conf file for the app this input was defined in:

blacklist = <your_custom_regex>

If you create a blacklist line for each file you want to ignore, Splunk software activates only the last filter.

To ignore and not monitor only files with the .txt extension:

    blacklist = \.txt$

To ignore and not monitor all files with either the .txt extension OR the .gz extension (note that you use the "|" for this):

    blacklist = \.(?:txt|gz)$

To ignore entire directories beneath a monitor input refer to this example:

    blacklist = archive|historical|\.bak$

This example tells Splunk software to ignore all files under /mnt/logs/ within the archive or historical directories and all files ending in *.bak.

To ignore files whose names contain a specific string, you can do:

   blacklist = 2009022[89]file\.txt$

This example ignores the webserver20090228file.txt and webserver20090229file.txt files under /mnt/logs/.

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...