How can i globally blacklist (.gz ) or rotational file logs (log.1, log.2, log.3 etc..) in the inputs.conf , so it applies to all monitors?
Please assist.
There is a [default] available in inputs.conf where you can define your global attributes. These can be overridden at individual input level.
I am struggling to get a global blacklist to function. I read the documentation and have the following on my inputs.conf file. I am still getting .gz files located in subdirectories of most of my monitor paths. for example in path /syslogs/routers/cisco/ciscolog.gz
[default]
host = syslogserver
[blacklist://syslogs/*\.gz$] ## should this be a Triple or double Whack?
[monitor://syslogs/routers]
index = routers
sourcetype = syslog
source = //syslogs/routers
I also am noticing that a /// ( triple whack) and a // ( double whack) both are present in different monitor stanza's. both work !
for example:
[monitor://syslogs/routers]
and
[monitor:///syslogs/oss]
Thanks,
Todd
Give this a try
[blacklist:/syslogs/.../*\.gz]