I'm indexing a bunch of metrics files written every 10 minutes. Just after midnight I get a file containing the same format metrics, but each value is the sum for the previous day. This totals file I want to ignore (It messes up all sorts of use cases of the metric data). The only way to reliably identify a totals file is that the third line holds a timestamp, and this will be all zero. Any other file will have a normal ISO timestamp in this point
REGEX = ^TimeStamp\s+:\s+0000-00-00\s00.00.00.000
Is there a way to block that file's ingestion based on the content of a single line?