Scenario: Lots of log files all in the same directory on a remote host, we don’t want to monitor all of them and we don’t want to specify a long list of files to monitor in our forwarding configuration.
Solution: Use a blacklist entry. The below example monitors all files in the /logs directory, sets a sourcetype of fw_log and ignores any filenames ending with LONDONA or AMSTERDAMA
Edit file: /home/splunk/opt/splunkforwarder/etc/system/local/inputs.conf [monitor:///logs/] disabled = false blacklist = (\.LONDONA$|\.AMSTERDAMA$) sourcetype = fw_log index = firewall
Or to use a wildcard and monitor certain files..
[monitor://logs/firewallmsgs.*] disabled = false sourcetype = asa_log blacklist = (\.LONDONA$|\.AMSTERDAMA$) index = firewall
Similarly, we can create a whitelist instead:
[monitor:///logs/messages.fw.*] whitelist = (\.CDCA$|\.CDCB$) disabled = false index = firewall
(we could use add monitor /logs/ -index main -sourcetype fw_log but as we’re blacklisting, we may as well edit manually)
Note: forwarder was added with
./splunk add forward-server remotehostname:9997
Check forwarding with:
splunk list forward-server Splunk username: admin Password: Active forwards: remotehostname:9997 Configured but inactive forwards: None
Then configuring a receiver on port 9997 on the indexer.