I am struggling to get a global blacklist to function. I read the documentation and have the following on my inputs.conf file. I am still getting .gz files located in subdirectories of most of my monitor paths. for example in path /syslogs/routers/cisco/ciscolog.gz
[default] host = syslogserver [blacklist://syslogs/*\.gz$] ## should this be a Triple or double Whack? [monitor://syslogs/routers] index = routers sourcetype = syslog source = //syslogs/routers
I also am noticing that a /// ( triple whack) and a // ( double whack) both are present in different monitor stanza's. both work !