Splunk Search

How do you exclude files in a directory?

balcv
Contributor

I've been struggling with this for several days now and cannot find a solution that works for me so I am turning to you all.

I simply want to exclude 2 files from a directory from being indexed. The two files exist on one of my Linux servers and are in the /var/log/httpd directory along with regular Apache log files that I DO want indexed. The two files to be excluded are 64080_access_log and 64080_error_log.

From what I have read, the solution should be to have a blacklist line in the inputs.conf file, which I have done in the /splunk/etc/apps/Splunk_TA_nix/local directory, and it looks like:

[monitor:///var/log/httpd]
blacklist=64080_access_log|64080_error_log
disabled = true

But this is not working. After a restart of Splunk, I am still seeing log data from the blacklisted files.

In case it's relevant, I have my main Splunk host that receives those logs, and does the indexing, and that is the host I have added the above code to. I also have a heavy forwarder setup as my Universal Forwarder deployment server, but it does not receive or process any log data. Am I right in adding the above code to the main Splunk server that is receiving the log data?

Many thanks.

Tags (1)
0 Karma
1 Solution

damann
Communicator

change disabled=true to disabled=false to activate your stanza

View solution in original post

damann
Communicator

change disabled=true to disabled=false to activate your stanza

View solution in original post

balcv
Contributor

Damn these double negatives!! I looked at that then talked myself into it being correct.

Thanks @damann.

0 Karma

balcv
Contributor

I feel like such a noob for this one!!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.