The documentation says:
If you want Splunk to ignore entire directories beneath a monitor input refer to this example:
[monitor:///mnt/logs]
blacklist = (archive|historical|\.bak$)
The above example tells Splunk to ignore all files under /mnt/logs/ within the archive directory, within historical directory and to ignore all files ending in *.bak.
The above would also exclude a folder named archives for example, right?
In my tests, I was trying to exclude sa from /var/log and it seemed to have also excluded /var/log/messages
How do I exclude folders: sa and puppet from monitoring /var/log
How does the matching actually work? matches the whole path of the files, include /mnt/logs, in the above example?
Like this:
blacklist = (/|\\)puppet|sa(/|\\)
Both front- and back- slashes are important to cover *nix and windows and they have to be on both ends or you will match things like .../sockpuppet/...
,
Looks like adding a slash like so works:
blacklist = (puppet/|sa/)
though that is still not exactly: Exclude any folders named puppet or sa