I have the monitor stanza on one of my Universal Forwarders.....I tried to blacklist a particular JVM from which the logs are not required to be monitored. Any help would be appreciated on this.
inputs.conf
[monitor:///opt/server/webservers/*/logs/access*.log]
sourcetype=access_logs
blacklist=\/opt\/server\/webservers\/JVM_DEV\/logs\/access*\.log
crcSalt = <SOURCE>
index=devint2
some how this worked for me as my logs might be in 2 different formats
/opt/server/webservers/JVM_DEV/logs/access.20160203000000.log
/opt/server/webservers/JVM_DEV/logs/access20160203000000.log
blacklist=\/opt\/server\/webservers\/JVM_DEV\/logs\/access\.?\d+\.log
some how this worked for me as my logs might be in 2 different formats
/opt/server/webservers/JVM_DEV/logs/access.20160203000000.log
/opt/server/webservers/JVM_DEV/logs/access20160203000000.log
blacklist=\/opt\/server\/webservers\/JVM_DEV\/logs\/access\.?\d+\.log
.? takes care of the optional dot...
Like this:
blacklist=\/opt\/server\/webservers\/JVM_DEV\/logs\/access[^\.]*\.log