Trying to make a custom blacklist for one of my input monitor points that excludes certain directories and filetypes
[monitor:///usr/sap/IX4/DVEBMGS26/work]
disabled = false
blacklist = \VM*.$
blacklist = \vm.$
blacklist = (logs|jtmp)$
blacklist = *.(CPIC|old|trc|dump|DAT|CSV|sql)$
blacklist = \Y_.*$
[monitor:///sapdb/data/wrk/IX4/knltrace]
disabled = false
[monitor:///sapdb/data/wrk/IX4/dbm.prt]
disabled = false
[monitor:///sapdb/data/wrk/IX4/KnlMsg]
disabled = false
But still files VM*.* and directory logs is not getting blacklisted. Can you please chck if syntax is correct?
Thanks & regards,
Kratika
In this topic in the docs:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata
there's a note: "Important: If you create a blacklist line for each file you want to ignore, Splunk activates only the last filter."
So it sounds like you need to combine your five lines into one in the [monitor:///usr/sap/IX4/DVEBMGS26/work] stanza.