how to blacklist the file which is being monitored...

Kaushikkatta03 · ‎09-15-2016

Can any one help how to blacklist a file , the file is monitored and linked in two stanzas

inventsekar · ‎09-15-2016

can you please update us your inputs.conf..

Blacklist (ignore) files
To define the files you want to exclude from indexing, add the following line to your monitor stanza in the /local/inputs.conf file for the app this input was defined in:

blacklist = <your_custom_regex>

If you create a blacklist line for each file you want to ignore, Splunk software activates only the last filter.

To ignore and not monitor only files with the .txt extension:

[monitor:///mnt/logs]
    blacklist = \.txt$

To ignore and not monitor all files with either the .txt extension OR the .gz extension (note that you use the "|" for this):

[monitor:///mnt/logs]
    blacklist = \.(?:txt|gz)$

To ignore entire directories beneath a monitor input refer to this example:

[monitor:///mnt/logs]
    blacklist = archive|historical|\.bak$

This example tells Splunk software to ignore all files under /mnt/logs/ within the archive or historical directories and all files ending in *.bak.

To ignore files whose names contain a specific string, you can do:

[monitor:///mnt/logs]
   blacklist = 2009022[89]file\.txt$

This example ignores the webserver20090228file.txt and webserver20090229file.txt files under /mnt/logs/.

how to blacklist the file which is being monitored in two different stanza for the same log

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms