blacklist matching issues

lrhazi · ‎07-31-2015

The documentation says:

If you want Splunk to ignore entire directories beneath a monitor input refer to this example:

[monitor:///mnt/logs]
    blacklist = (archive|historical|\.bak$)
The above example tells Splunk to ignore all files under /mnt/logs/ within the archive directory, within historical directory and to ignore all files ending in *.bak.

The above would also exclude a folder named archives for example, right?
In my tests, I was trying to exclude sa from /var/log and it seemed to have also excluded /var/log/messages

How do I exclude folders: sa and puppet from monitoring /var/log

How does the matching actually work? matches the whole path of the files, include /mnt/logs, in the above example?

woodcock · ‎07-31-2015

Like this:

blacklist = (/|\\)puppet|sa(/|\\)

Both front- and back- slashes are important to cover *nix and windows and they have to be on both ends or you will match things like .../sockpuppet/...,

lrhazi · ‎07-31-2015

Looks like adding a slash like so works:

blacklist = (puppet/|sa/)

though that is still not exactly: Exclude any folders named puppet or sa

blacklist matching issues

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio