This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 , 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
You can use inputs.conf to specify files to ignore (blacklist) or only consume (whitelist) for any specific source that you are tailing. The match for blacklist and whitelist uses regular expression syntax on the file name.
Please note: For whitelist and blacklist entries, please use exact regex syntax. The "..." wildcard is not supported. Whitelist and blacklist configurations must be in a configuration stanza, those outside a stanza are ignored (no global entries.)
Add the following argument=value to your tail input stanza in $SPLUNK_HOME/etc/bundles/local/inputs.conf:
_blacklist = $YOUR_CUSTOM_REGEX
Add the following argument=value to your tail input stanza in $SPLUNK_HOME/etc/bundles/local/inputs.conf
_whitelist = $YOUR_CUSTOM_REGEX
[tail:///mnt/logs]
_whitelist = .*\.log
This example tells Splunk to tail only files with the .log extension.
[tail:///mnt/logs]
_blacklist = .*\.txt
This example tells Splunk to ignore all files with the .txt extension.
[tail:///mnt/logs]
_blacklist = \.(txt|gz)$
This example tells Splunk to ignore all files with either .txt or .gz extension.
To verify that your whitelist and blacklist rules are configured properly you should run the listtails utility found in your $SPLUNK_HOME/bin directory. Without interacting with the server in any way, the utility reads in the configuration of inputs.conf in all bundles, scans your directories and shows you the exact list of files that Splunk will tail when you restart.
Note: The listtails utility requires you to first run the command source setSplunkEnv