Why is a blacklisted log file still counting again...

nhanzlik · ‎02-10-2016

I had an issue with a host that is outside of my control sending a very large log file causing me to go over the daily index limit. To avoid further overages I created a blacklist for the bad log file directory in the deployment app's input.conf.

  #blacklist
  [monitor:///d01/admin/servers/server1/logs]
  blacklist = \..*$

After saving that and doing a splunk reload deploy-server the logs would no longer show in search, but would still be counting against the daily indexing license amount.

Am I misunderstanding what blacklist is supposed to do? I've put in an iptables block on the server for the time being until I can figure out what I'm doing wrong. Should the blacklist = .*$ if I want to block any file within?

Thanks in advance for the help.

MuS · ‎02-15-2016

Hi nhanzlik,

this will blacklist any log file in the directory /d01/admin/servers/server1/logs which contains a dot and some ending like foo.log or this.is.a.foo.log.baz from that point in time where you configured the blacklist and have restarted Splunk. Any events indexed pre change will still be in the index and will still count on that day against the license usage.

Hope this helps ...

cheers, MuS

Why is a blacklisted log file still counting against our daily indexing volume?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases