I have 2 files I want to monitor for in the same directory with 2 different sourcetypes. My issue is both files are being picked up by sourcetype a because of the wildcard. The wildcard is needed for the dates that follow the log name. I tried blacklisting the diagnostic file from sourcetype a but that did not work.
[monitor://E:\path\to\log\directory\HFMWeb*-diagnostic.log]
sourcetype = <sourcetype b>
disabled = false
index = <index>
crcSalt = <SOURCE>
[monitor://E:\path\to\log\directory\HFMWeb*.log]
sourcetype = <sourcetype a>
disabled = false
index = <index>
crcSalt = <SOURCE>
blacklist = \-diagnostic
Any ideas on how I can exclude the diagnostic file from sourcetype a but then include in sourcetype b?
You could follow example 3 or 4 listed in the below manual.
https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata
Hope this info helps.
Thanks
Hi @Roy_9 - Thank you for your response. Unfortunately, I did try blacklisting the file from sourcetype a but that didn't seem to work. When I search for sourcetype b, I don't get any results.