I want to blacklist below 2 files:
op_fe-run_autostat*.log
op_fe-proteus_prod_archive*.log
I used below regex but the same is not working. Can someone please help.
blacklist = .(run_autostat|proteus_prod_archive).log$
inputs.conf?
You should include one of these keys: http://docs.splunk.com/Documentation/Splunk/6.4.2/Data/MonitorWindowseventlogdata#Create_advanced_fi...
so yours might be something like:
blacklist1 = Message=%.(run_autostat|proteus_prod_archive)..log%
depending on where the string is in the message field, in might also be
blacklist1 = Message=%^.(run_autostat|proteus_prod_archive)..log$%
Can you please post your filename and regex with Code Sample format (Please use button 101010)
shouldn't it be
.(run_autostat|proteus_prod_archive).*\.log$