The blacklist is working but I just noticed when I restarted Splunk on a forwarder for a different reason I got this error:
E:\SplunkUniversalForwarder\bin>splunk restart
SplunkForwarder: Stopped
Splunk> CSI: Logfiles.
Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Bad regex value: 'Archive|TargetedLogging|IIS|.\log$',
of param: inputs.conf / [monitor://e:\Application\Logs] / blacklist; why: PCRE does not support \L, \l, \N{name}, \U, or \u
One or more regexes in your configuration are not valid. For details, please see btool.log or directly above.
My inputs.conf reads
[monitor://e:\Application\Logs
disabled=false
index=logs
sourcetype=logs
whitelist=.log$
blacklist=Archive|TargetedLogging|IIS|.\log$
Is the blacklist line formatted incorrectly?
Thanks
... View more