I want to exclude all files that contain some keyword from splunk forwarder, I have added an entry in prop.conf.
[monitor:/home/default/log]
blacklist = (WARNING|FATAL|ERROR$)
but still my search result return some file that contain WARNING keyword in the file name.
can you please tell me what is the wrong here?
It may need to be (WARNING.*|FATAL|ERROR$) in your regex. Is the file name only WARNING or can it contain other characters at the end?
It may need to be (WARNING.*|FATAL|ERROR$) in your regex. Is the file name only WARNING or can it contain other characters at the end?
Thanks sdaniels