I had an issue with a host that is outside of my control sending a very large log file causing me to go over the daily index limit. To avoid further overages I created a blacklist for the bad log file directory in the deployment app's input.conf.
#blacklist
[monitor:///d01/admin/servers/server1/logs]
blacklist = \..*$
After saving that and doing a splunk reload deploy-server
the logs would no longer show in search, but would still be counting against the daily indexing license amount.
Am I misunderstanding what blacklist is supposed to do? I've put in an iptables block on the server for the time being until I can figure out what I'm doing wrong. Should the blacklist = .*$ if I want to block any file within?
Thanks in advance for the help.
Hi nhanzlik,
this will blacklist any log file in the directory /d01/admin/servers/server1/logs
which contains a dot and some ending like foo.log
or this.is.a.foo.log.baz
from that point in time where you configured the blacklist and have restarted Splunk. Any events indexed pre change will still be in the index and will still count on that day against the license usage.
Hope this helps ...
cheers, MuS