I'm missing something here:
blacklist = (samba|yum|.gz)
samba is a directory, the others are files.
splunk still tries to monitor samba here, I see it in the output of "splunk list monitor". Also splunkd.log says permission denied for samba, which means it's not ignoring it.
What am I missing? Is there a problem with the regex?
Ustun
This answer is late, but for this problem you can just add the stanza below for your inputs.conf
[blacklist://<path>]
Cheers,
Dan
I haven't seen any example that you can blacklist directory yet
It didn't work that way either, I don't see a problem with this simple regex. I guess something else is going on. Will update once resolved.
Ustun
try it that: lacklist.0 = complete path of samba folder lacklist.1 = *yum lacklist.2 = *.gz
Amaral