Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issue with blacklisting service name in inputs.conf file

fresned
Path Finder
‎04-02-2012 11:26 AM

I have 6 directories that I'm indexing from

/tom/
/linda/
/joe/
/time/
/jil/
/sue/

Each of the directories has a number of files in them I'm trying to black list anything in the directory that begins with foo

The inputs.conf file looks like this

[monitor://tom/*.*]
sourcetype = userTom
disable = 0
blacklist = .*\/\..*|foo*

and so on

[monitor://sue/*.*]
sourcetype = userSue
disable = 0
blacklist = .*\/\..*|foo*

This does not seem to work.

I have also look been looking into the filtering of information with inputs.conf. But cannot find an example that describes how to set this up.

[filter:<filtertype>:<filtername>]
* Define a filter of type <filtertype> and name it <filtername>.
* <filtertype>:
  * Filter types are either 'blacklist' or 'whitelist.' 
  * A whitelist filter processes all file names that match the regex list.
  * A blacklist filter skips all file names that match the regex list.
* <filtername>
  * The filter name is used in the comma-separated list when defining a file system monitor.

Any help would be great

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎04-04-2012 05:40 AM

Should be like this:

[monitor:///tom]
sourcetype = userTom
disable = 0
blacklist = foo.*

First, the monitor stanzas are URL-like - monitor:// plus the path. Your example had only the two slashes, which would have probably put it relative to $SPLUNK_HOME. And I don't think $SPLUNK_HOME/tom was what you wanted to monitor.

Second, you aren't required to put a filespec in the monitor:// stanza - the *.* is not necessary. If you do put a filespec, however, you shouldn't expect whitelist or blacklist to work. (Internally, Splunk uses whitelist and blacklist to implement the wildcard specification you give)

Third, these are regexes, not globbing-style wildcard expansions. foo* means "f, followed by o, followed by zero or more o" -- so "foo" will match, and so will "fo", and "foooooooooooooooooooo". To make the glob-syle pattern foo* you need to make your regex foo.*. To make the glob-style pattern foo.* you need to make your regex foo\..*

Finally, the filter stanzas in inputs.conf are not used for monitor:// stanzas, but for fschange stanzas. So, you wouldn't use those unless you were setting up fschange.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...