I have found that there are lots of syslog contains "Log statistics", which is log statistic data of syslog.
Splunk could not parse it well and I do not want to index this data.
How I can blacklist it in the inputs.conf?
@bli_scs
From the inputs.conf we can do the blacklisting at file or directory level. See here -
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Whitelistorblacklistspecificincomingda...
However to perform the blacklisting which is event based (on some criteria like in your case that the event contains "Log statistics"), you can use a Heavy Forwarder, which processes both the input phase and the parsing phase before forwarding.
and on your HF, you can define the filtering rule on your props.conf and transforms.conf
For defining a filtering rule, this post can help you -
https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html
Please accept as answer if this responds to your query.
Thanks