I've tried a bunch of different things on my Forwarder to get it to watch 2 different paths, and blacklist one folder within the second path, and nothing is working. What is the recommended solution for getting the forwarder to watch these two paths:
/var/log /Library/Logs
and blacklist /Library/Logs/CrashPlan?
my current inputs.conf contains this.
[default]
host = one.example.com
[monitor:///var/log]
I've read the documentation and tried regex a handful of different ways but can't get it to work. I'm using the latest release.
I'm making a change, then restarting the forwarder, then running this to confirm if it's working or not: /Applications/splunkforwarder/bin/splunk list monitor
Thanks!