Splunk Enterprise

Blacklist all files in windows folder and sub folders

perrinj2
Path Finder

I'm monitoring a Windows drive for any files ending in *.lrr and *.eve. This is because we have no control over where the files will be created. This may not be efficient but it works

I want to blacklist a folder on the drive and any sub folders so that the above files are not monitoring if they are in the blacklisted folder. The inputs.conf is

[monitor://D:\...\*.lrr]
disabled = false
whitelist =
index = au_cpe_common_app
sourcetype=LoadRunner_LRR
crcSalt = <SOURCE>
initCrcLength=1000


[monitor://D:\...\_t_rep.eve]
disabled = false
whitelist =
index = au_cpe_common_app
sourcetype=LoadRunner_EVE
crcSalt = <SOURCE>

[monitor://D:\DoNotMonitor\]
disabled = false
whitelist =
blacklist = .+
recursive = true

I would have expected the above blacklist to not monitor any files in the D:\DoNotMonitor folder recusively but it is ingesting files with source "D:\\DoNotMonitor\\donotmonitortest29042021\\_t_rep.eve"

What is the correct way to specify this? I can't find a well documented example of this specific use case

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...