I had an issue with a host that is outside of my control sending a very large log file causing me to go over the daily index limit. To avoid further overages I created a blacklist for the bad log file directory in the deployment app's input.conf.
#blacklist
[monitor:///d01/admin/servers/server1/logs]
blacklist = \..*$
After saving that and doing a splunk reload deploy-server the logs would no longer show in search, but would still be counting against the daily indexing license amount.
Am I misunderstanding what blacklist is supposed to do? I've put in an iptables block on the server for the time being until I can figure out what I'm doing wrong. Should the blacklist = .*$ if I want to block any file within?
Thanks in advance for the help.
... View more