Getting Data In

Why am I unable to blacklist all content in a certain directory with my current inputs.conf?

anaqvi
Explorer

I am trying to blacklist the following in the inputs.conf

Currently I have this:

[monitor:///var/log]
disabled = false
blacklist = /manager/tomatod*
index = os

I have tried to blacklist all content that in the manager directory containing "tomatod" from ingesting.

So far I have had no luck. The inputs.conf file is put into a deployment-app. Not sure what I am doing wrong. Please advise..

0 Karma

jbarlow_splunk
Splunk Employee
Splunk Employee

[monitor:///home/splunk]
disabled = false
blacklist = \/home\/splunk\/anotherdir\/
sourcetype = sbblacklist

and files within /home/splunk/anotherdir/
were excluded okay

Turning DEBUG on for log channel TailingProcessor also confirmed match blacklist
DEBUG TailingProcessor - Not using stanza for this item (Matched blacklist '\/home\/splunk\/anotherdir\/'.).

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi anaqvi,

Aside from escaping the forward slashes, you may also need to indicate any characters before and after your specified text:

 [monitor:///var/log]
 disabled = false
 blacklist = \/manager\/.*tomatod.*
 index = os

Hope it works. Thanks!
Hunter

0 Karma

anaqvi
Explorer

Any other recommendations in resolving this issue?

0 Karma

anaqvi
Explorer

I tried that but still no luck 😞

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Blacklist uses regex and you would need to escape those forward slashes. Try this

[monitor:///var/log]
disabled = false
blacklist = \/manager\/tomatod.*
index = os
0 Karma

anaqvi
Explorer

That did not work. It is still generating events. :(...any other suggestion?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The blacklist works on the file name (not the file content), so could you provide the full path of the file that you want to exclude?

0 Karma

anaqvi
Explorer

I want to blacklist everything that contains prefix "tomatod"

/var/log/manager/tomatod.log

/var/log/manager/tomatod_portfolios.log
/var/log/manager/tomatod_portfolios_preview.log
/var/log/manager/tomatod_preview.log

/var/log/manager/tomatod_tickers.log

/var/log/manager/tomatod_tickers_preview.log

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...