I am trying to blacklist the following in the inputs.conf
Currently I have this:
[monitor:///var/log]
disabled = false
blacklist = /manager/tomatod*
index = os
I have tried to blacklist all content that in the manager directory containing "tomatod" from ingesting.
So far I have had no luck. The inputs.conf file is put into a deployment-app. Not sure what I am doing wrong. Please advise..
[monitor:///home/splunk]
disabled = false
blacklist = \/home\/splunk\/anotherdir\/
sourcetype = sbblacklist
and files within /home/splunk/anotherdir/
were excluded okay
Turning DEBUG on for log channel TailingProcessor also confirmed match blacklist
DEBUG TailingProcessor - Not using stanza for this item (Matched blacklist '\/home\/splunk\/anotherdir\/'.).
Hi anaqvi,
Aside from escaping the forward slashes, you may also need to indicate any characters before and after your specified text:
[monitor:///var/log]
disabled = false
blacklist = \/manager\/.*tomatod.*
index = os
Hope it works. Thanks!
Hunter
Any other recommendations in resolving this issue?
I tried that but still no luck 😞
Blacklist uses regex and you would need to escape those forward slashes. Try this
[monitor:///var/log]
disabled = false
blacklist = \/manager\/tomatod.*
index = os
That did not work. It is still generating events. :(...any other suggestion?
The blacklist works on the file name (not the file content), so could you provide the full path of the file that you want to exclude?
I want to blacklist everything that contains prefix "tomatod"
/var/log/manager/tomatod.log
/var/log/manager/tomatod_portfolios.log
/var/log/manager/tomatod_portfolios_preview.log
/var/log/manager/tomatod_preview.log
/var/log/manager/tomatod_tickers.log
/var/log/manager/tomatod_tickers_preview.log