I am attempting to index a apache logs directory.
We use cronolog to split our apache log files We have a sub directory rotate_logs that have historical logs in GZ format.
I want to only index the error log files in /etc/httpd/logs and not the access logs or any time from subdirectories.
Sounds like you want a blacklist on the filename. You can also turn off recursion if you don't want to descend into subdirectories.
For example:
[monitor:///etc/httpd/logs]
recursive = false
blacklist = \.gz$
Take a look at:
http://www.splunk.com/base/Documentation/4.1.5/admin/Inputsconf
and:
http://www.splunk.com/base/Documentation/4.1.5/admin/Whitelistorblacklistspecificincomingdata#Blackl...
directory structure and exact filenames desired would help too
It would help to have your current settings and parameters used for this input.