Blacklist all files in windows folder and sub fold...

Splunk Enterprise

I'm monitoring a Windows drive for any files ending in *.lrr and *.eve. This is because we have no control over where the files will be created. This may not be efficient but it works

I want to blacklist a folder on the drive and any sub folders so that the above files are not monitoring if they are in the blacklisted folder. The inputs.conf is

[monitor://D:\...\*.lrr]
disabled = false
whitelist =
index = au_cpe_common_app
sourcetype=LoadRunner_LRR
crcSalt = <SOURCE>
initCrcLength=1000

[monitor://D:\...\_t_rep.eve]
disabled = false
whitelist =
index = au_cpe_common_app
sourcetype=LoadRunner_EVE
crcSalt = <SOURCE>

[monitor://D:\DoNotMonitor\]
disabled = false
whitelist =
blacklist = .+
recursive = true

I would have expected the above blacklist to not monitor any files in the D:\DoNotMonitor folder recusively but it is ingesting files with source "D:\\DoNotMonitor\\donotmonitortest29042021\\_t_rep.eve"

What is the correct way to specify this? I can't find a well documented example of this specific use case

Get Updates on the Splunk Community!

Blacklist all files in windows folder and sub folders

configuration

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?