Try this:
blacklist = (?i:esx-abcd|\.bz2$|\.gz$)
That will make it a case-insensitive regex, and remove the anchor just in case there is a path element prepended.
Also, make sure that your monitor line doesn't have a trailing / on the path. I'm not sure it would matter, but just to be safe.
... View more
I'm not completly sure I understand what you are asking for, but I have an idea. If I miss, post a mocked up example of what you expect your results table to look like.
I think you are looking for the "append" search command.
Try this:
sourcetype=hwa_other source=/var/tomcat/servers/HAP01/logs/tomcat_access*.log "dealswidget" OR "hotelquerywidget" | rex "(?<myword>dealswidget|hotelquerywidget)" | stats count by myword | append [sourcetype=hwa_other source=/var/tomcat/servers/HAP01/logs/tomcat_access.log | rex field=_raw "(?i)^(?:[^ ] ){10}(?P<url>[^ ]+)" | stats count by URL]
... View more
Take a look at the rsyslog docs here: http://www.rsyslog.com/doc/rsyslog_reliable_forwarding.html
I've found forwarding to be flakey without the suggested tweaks.
... View more
There are some field name inconsistencies between your description and your example...
Based on your description, try this:
source="A1.txt" | lookup A1_timer field_A AS field_a | table field_A field_b field_B field_C
Three separate steps: search, lookup, and formatting.
... View more