Collecting logs from forwarders excluding certain subfolders. Current inputs.conf is :
[monitor://e:\Application\Logs
disabled=false
index=logs
sourcetype=logs
whitelist=\.log$
[monitor://e:\Application\Logs
source="e:\Application\Logs\*\archive\*"
disabled=true
index=logs
sourcetype=logs
whitelist=\.log$
This seems to work but seems awkward. Is there a better way?
Thanks!
You can use blacklist to exclude monitoring of archive directory, like this
[monitor://e:\Application\Logs]
disabled=false
index=logs
sourcetype=logs
whitelist=.log$
blacklist=archive|any_other_dir_name_here
See this for more information: http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Whitelistorblacklistspecificincomingdata
You can use blacklist to exclude monitoring of archive directory, like this
[monitor://e:\Application\Logs]
disabled=false
index=logs
sourcetype=logs
whitelist=.log$
blacklist=archive|any_other_dir_name_here
See this for more information: http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Whitelistorblacklistspecificincomingdata
I'll try it out. Thanks!
The blacklist is working but I just noticed when I restarted Splunk on a forwarder for a different reason I got this error:
E:\SplunkUniversalForwarder\bin>splunk restart
SplunkForwarder: Stopped
Splunk> CSI: Logfiles.
Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Bad regex value: 'Archive|TargetedLogging|IIS|.\log$',
of param: inputs.conf / [monitor://e:\Application\Logs] / blacklist; why: PCRE does not support \L, \l, \N{name}, \U, or \u
One or more regexes in your configuration are not valid. For details, please see btool.log or directly above.
My inputs.conf reads
[monitor://e:\Application\Logs
disabled=false
index=logs
sourcetype=logs
whitelist=.log$
blacklist=Archive|TargetedLogging|IIS|.\log$
Is the blacklist line formatted incorrectly?
Thanks
Hi @JarrettM,
As one of the options you can define Blacklist in your inputs.conf to exclude the folder
[monitor://e:\Application\Logs]
blacklist = e:\Application\Logs*\archive*
For information on Blacklisting refer documentation: https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Bl...
Thanks!
Sorry I can't "Accept" your answer. You got beat out by one minute!
I think I was ahead by 1min but its fine....:)thanks