Splunk Enterprise

How to filter certain logs on forwarder with certain key words or KV pairs in inputs.conf

New Member

How do we filter certain logs on HF using inputs.conf

Tried the below 2 ways but no luck.

blacklist = IME_ID = "*"
blacklist1 = TCA_ID = "*"

blacklist3 = "DOMAIN-2-IME_DETAILS"


Labels (3)
0 Karma

Ultra Champion
blacklist = <regular expression>
* If set, files from this input are NOT monitored if their path matches the
  specified regex.


maybe, you need transforms.conf setting.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!