I've reviewed this issue: https://community.splunk.com/t5/Getting-Data-In/Can-I-edit-inputs-conf-to-initiate-a-global-blacklist-so-it/m-p/220677 And this page: https://docs.splunk.com/Documentation/Splunk/9.4.2/Data/Specifyinputpathswithwildcards But I'm still having issues with a global deny list (eliminating any files with "*abcdef*" in the path) working.  It works fine when I put it in the [monitor] stanza but not globally when it's in the [default] stanza.  Syntax I've tried: [default] [blacklist:/var/.../*abcdef*/*] [default] [blacklist:///var/.../*abcdef*/*] [default] [blacklist:.*abcdef.*] That last one I expected not to work, but I tried it anyway.  The first one looks correct to me. This works fine, but I have to put it in many [monitor] stanzas (which seem silly). [monitor:///var/.../mylog*.log] blacklist = .*abcdef.* Basically, I want to skip any files in the "/var" path where ".*abcdef.*" appears in the directory hierarchy.  In most cases, I just have a "whitelist" and "blacklist" statement in each [monitor] stanza, but I have a case where I want to globally deny all files in a certain path.  I'm more comfortable with the regex syntax in the [monitor] stanza.  The global [blacklist:] syntax is not well documented.  I'm assuming it follows the same janky "sort of " regex rules like for the [monitor] stanza. This is no help at all: https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Inputsconf Because it doesn't well define <path>. ... View more

Stupid form editor adds extra CRs. Having trouble getting this search to work as desired. I've tried these 2 methods and can't them to work:   eventtype="x" Name="x" | fields Name, host | dedup host | stats count by host | appendpipe [stats count | where count=0 | eval host="Specify your text here"]     and using the   fillnull   command. Here is my search:   index=idx1 host=host1 OR host=host2 source=*filename*.txt field1!=20250106 (field2="20005") OR (field2="20006") OR (field2="20007") OR (field2="666") | stats count(field2) by field2, field3 | sort count(field2)   In this case the value for field2="666" does not exist in the results. Here're the results I get:   field2 field3 count(field2) 1 20005 This is field3 value 1 2 2 20006 This is field3 value 2 6 3 20007 This is field3 value 3 13   To summarize, I want to search for all the values of field2 and return the counts for each field2 value even if the field2 value is not found in the search; so, then, count(field2) for field2=666 would be 0. As follows:   field2 field3 count(field2) 1 666 <empty string> 0 2 20005 This is field3 value 1 2 3 20006 This is field3 value 2 6 4 20007 This is field3 value 3 13   This is a simplified example. The actual use case is that I want to search one data set and return all the field2 values and then search for those values in the first data set. This actual search I'm running looks like this:   index=idx1 host=host1 OR host=host2 source=*filename*.txt field1!=20250106 [search index=idx1 host=host1 OR host=host2 source=*filename*.txt field1=20250106 | fields field2 | dedup field2 | return 1000 field2] | stats count(field2) by field2, field3 | sort count(field2)   I want to find all the field2 values when field1=20250106 and then find the counts of those values in the field1!=20250106 events (even for when the count of some field2 values have count=0 in results). ... View more