I have a directory in which there are several log files I do not wish to monitor. I have setup a blacklist for them in the inputs.conf file and deployed it to the relevant Forwarders. One of these files has a near match in the file name so both got blacklisted; I wanted the other file to be monitored and only this one blacklisted. This is how I had it setup:
[monitor:///path/to/logs/*] whitelist=(?:\w*.log)$ blacklist=file1.log|file2.log|file3.log
The other log was named splunk-file3.log and the above blacklisted both the unwanted log and this wanted log file. So I modified the blacklist setting to this:
[monitor:///path/to/logs/*] whitelist=(?:\w*.log)$ blacklist=(?:file1.log|file2.log|^file3.log)$
But the file3.log file is being monitored with this setting. I used one of the interactive RegEx checker web sites (RegEx Pal) and it indicated that this would work, but Splunk apparently disagrees.
What would you use to perform this action?
The actual file names in the application directory path are: metrics.log (unwanted log) and splunk-metrics.log (wanted log). These are application logs, not Splunk logs. The name is similar but a separate one altogether from what Splunk is producing.