Does anyone have any examples of regex used in the Blacklist patterns for distsearch.conf? We are trying to limit what gets replicated in distributed searches and I thought this would be a good start. We currently have the following in our distsearch.conf:
system [replicationBlacklist]
system lookupindexfiles = (system|(apps/(?!pdfserver))|users(/_reserved)//)/lookups /.index($|/...)
system sampleapp = apps/sample_app/...
I am guessing replacing "sampleapp" with a current application that is running on my Splunk instance will stop this app from replicating. Is this correct? Do I need additional regex?
Hi
There are a couple of options that you can use for this regex. Both of them worked for me:
[replicationBlacklist]
sample1 = ...appname1...
sample2 = .appname2.
That would blacklist the whole lot of files from those apps, you could also only blacklist specific files from inside an app by including the whole path to the file