Does anyone have any examples of regex used in the Blacklist patterns for distsearch.conf? We are trying to limit what gets replicated in distributed searches and I thought this would be a good start. We currently have the following in our distsearch.conf:
system lookupindexfiles = (system|(apps/(?!pdfserver))|users(/_reserved)//)/lookups /.index($|/...)
system sampleapp = apps/sample_app/...
I am guessing replacing "sampleapp" with a current application that is running on my Splunk instance will stop this app from replicating. Is this correct? Do I need additional regex?