I have an index called "iis".
How can I blacklist some specific hosts so that Splunk would not process iis logs for these hosts?
I did something like this in inputs.conf, but this is not working:
# IIS Logs
[monitor://S:\logs\W3SVC*\*.log]
sourcetype = iis
index = iis
ignoreOlderThan = 30d
disabled = false
blacklist = Server1,server2
Does each of your servers have Splunk forwarder installed and they have this monitor stanza to send the logs to your Indexer??
Yes, each of the hosts have the forwarder installed and they are managed by a central server.
a blacklist is a regex, so you may want to do :
blacklist = (Server1|Server2)
beware this is also case sensitive.