I have 3 different event types :
2017-02-08T08:55:32,704 [host;app1;http-bio-8115-exec-5;[[xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx] (git:stuff) text WARN - message1
2017-02-08T08:55:30,262 [host;app2; Pitt][generic][T#1];[[xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx] (git:stuff) text WARN - message2
2017-02-08T08:55:29,227 [host;app3;AsyncTaskExecutor-10;[[xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx] (git:stuff) text WARN - message3
inputs.conf contains
[monitor:///log/*.log]
disabled = false
sourcetype = log4j
blacklist = /\S[WARN]/g
Events still get indexed. Please help with some direction.
Thank you in advance.
The blacklist attribute in a monitor stanza acts against files within the path and not individual events within a file. The inputs.conf documentation states
blacklist =
* If set, files from this input are NOT monitored if their path matches the specified regex.
To filter at the event level for a file monitor you can add settings to the props.conf and transforms.conf. It's documented here
Dave
The blacklist attribute in a monitor stanza acts against files within the path and not individual events within a file. The inputs.conf documentation states
blacklist =
* If set, files from this input are NOT monitored if their path matches the specified regex.
To filter at the event level for a file monitor you can add settings to the props.conf and transforms.conf. It's documented here
Dave