Splunk Enterprise

Blacklist all files in windows folder and sub folders

Path Finder

I'm monitoring a Windows drive for any files ending in *.lrr and *.eve. This is because we have no control over where the files will be created. This may not be efficient but it works

I want to blacklist a folder on the drive and any sub folders so that the above files are not monitoring if they are in the blacklisted folder. The inputs.conf is

disabled = false
whitelist =
index = au_cpe_common_app
crcSalt = <SOURCE>

disabled = false
whitelist =
index = au_cpe_common_app
crcSalt = <SOURCE>

disabled = false
whitelist =
blacklist = .+
recursive = true

I would have expected the above blacklist to not monitor any files in the D:\DoNotMonitor folder recusively but it is ingesting files with source "D:\\DoNotMonitor\\donotmonitortest29042021\\_t_rep.eve"

What is the correct way to specify this? I can't find a well documented example of this specific use case

Labels (1)
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...