I have configured multiple Data Inputs, pointing at folders such as /mnt/DataInput1 etc. There is a lot of noise so tried following the following links to add a blacklist to the inputs.conf for the input, to restrict junk data such as Level=INFO type linux data. https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata?r=searchtip
Example input: [monitor:///mnt/blob/XXXXXXXXXX/logs] disabled = false index = customerXXXXXXXXXXXX blacklist = Level="(INFO)"
Unfortunately after several tries, and after making a change, restarting Splunk to see the change, then waiting several hours for the Data Inputs page to queue up the number of files, it still doesn't work.
Can anyone please shed some insight into what I'm doing wrong please? Ultimately I'd like to do something like:
blacklist = Level="(INFO)"|coderef="(salt*)|"consul)"
Where as you can see above, I want to blacklist =different event types.
... View more
Did you resolve this? I have a similar issue trying to find the proper format for this field. Not sure if prefix means part of a file, or the folder within a bucket to be looking at....
I have logs/ in that field, thinking that it is grabbing that folder but it is pulling hundreds of GB from S3, even though there are only 2GB worth of compressed log files in that folder...
Hope you found something?
... View more