how to blacklist the file which is being monitored...

Kaushikkatta03 · ‎09-15-2016

Can any one help how to blacklist a file , the file is monitored and linked in two stanzas

inventsekar · ‎09-15-2016

can you please update us your inputs.conf..

Blacklist (ignore) files
To define the files you want to exclude from indexing, add the following line to your monitor stanza in the /local/inputs.conf file for the app this input was defined in:

blacklist = <your_custom_regex>

If you create a blacklist line for each file you want to ignore, Splunk software activates only the last filter.

To ignore and not monitor only files with the .txt extension:

[monitor:///mnt/logs]
    blacklist = \.txt$

To ignore and not monitor all files with either the .txt extension OR the .gz extension (note that you use the "|" for this):

[monitor:///mnt/logs]
    blacklist = \.(?:txt|gz)$

To ignore entire directories beneath a monitor input refer to this example:

[monitor:///mnt/logs]
    blacklist = archive|historical|\.bak$

This example tells Splunk software to ignore all files under /mnt/logs/ within the archive or historical directories and all files ending in *.bak.

To ignore files whose names contain a specific string, you can do:

[monitor:///mnt/logs]
   blacklist = 2009022[89]file\.txt$

This example ignores the webserver20090228file.txt and webserver20090229file.txt files under /mnt/logs/.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

how to blacklist the file which is being monitored in two different stanza for the same log

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?