Getting Data In

Why do blacklisted logs index to main?

mdinkins
Engager

I have a group of hosts that use the blacklist function in a monitor stanza in inputs.conf. Here is the referenced stanza:

[monitor:///usr/Interwoven/LiveSiteDisplayServices/runtime/tomcat/logs/*.log]
sourcetype = log4j
source = sfo-lsds-log
index = tnt13
blacklist = (http-client\.log$|globalsession\.log$|snapfish\.log$|livesite-runtime\.log$|catalina\.out$)

All of the logs in the blacklist do NOT get indexed to the referenced index (tnt13) in the stanza, but do get indexed to Main.

I have also tried the following, but the issue of events indexing to main persists:

[monitor:///usr/Interwoven/LiveSiteDisplayServices/runtime/tomcat/logs/]
sourcetype = log4j
source = sfo-lsds-log
index = tnt13
blacklist = http-client\.log$|globalsession\.log$|snapfish\.log$|livesite-runtime\.log$|catalina\.out$

Also of note, the source defined in the stanza does not appear to apply to the events as indexed in tnt13 or main.

0 Karma

Richfez
SplunkTrust
SplunkTrust

I'd guess that you have another monitor stanza somewhere that's doing this.

Please run $splunkhome/bin/splunk cmd btool inputs list and look through those results. If nothing pops out there, please run $splunkhome/bin/splunk cmd btool inputs list > myfile.txt and then edit/read the resulting file and look through it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...