Hi @LukeMurphey
I am implementing this app to our environment and I was wondering if it is possible to do a few things?
Thanks in advance 🙂
Yes, you can do both of those things. It's very common to use, for example, blacklist1 = \.gz$ to avoid indexing compressed files (often in the case of rolled log files).
See https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Inputsconf#MONITOR:
thanks @richgalloway for the feedback on the use of blacklist for use in inputs.conf.
Do you happen to have an example of how to use wildcards for the file_path field used by this app?
Cheers
Sorry, I was thinking of a different app when I gave my previous answer. The file_meta_data app has a "file_filter" option that appears to be what you're looking for, but I have no experience with the app so I don't know for sure.
The app is marked as Not Supported, but it may be worth contacting the developer for assistance or, at least, documentation.
Yeah having tried to used blacklist for the file_meta_data app i can see from the internal logs that it isn't supported.
I also tried the file_filter field but it seems to act more like a whitelist and so isn't working for my use case.
@LukeMurpheyis the developer of this app (hence why I started my post with his member link) so hopefully he will see this post and let me know how to get the ball rolling 🙂