The documentation says:
If you want Splunk to ignore entire directories beneath a monitor input refer to this example:
[monitor:///mnt/logs]
blacklist = (archive|historical|\.bak$)
The above example tells Splunk to ignore all files under /mnt/logs/ within the archive directory, within historical directory and to ignore all files ending in *.bak.
The above would also exclude a folder named archives for example, right?
In my tests, I was trying to exclude sa from /var/log and it seemed to have also excluded /var/log/messages
How do I exclude folders: sa and puppet from monitoring /var/log
How does the matching actually work? matches the whole path of the files, include /mnt/logs, in the above example?
... View more