I'm missing something here:
blacklist = (samba|yum|.gz)
samba is a directory, the others are files.
splunk still tries to monitor samba here, I see it in the output of "splunk list monitor". Also splunkd.log says permission denied for samba, which means it's not ignoring it.
What am I missing? Is there a problem with the regex?