Hello,
Is there a way to "blacklist" or exclude tar.gz file with in a monitored directory in
the inputs.conf file.
For example.. I would like to monitoring /var/log/syslog/*
but not all the rotated tar files which have been created.
Just the .log file which have been created that day
The docs at http://docs.splunk.com/Documentation/Splunk/6.0/admin/Inputsconf show under the Monitor section:
blacklist =
* If set, files from this input are NOT monitored if their path matches
the specified regex.
* Takes precedence over the deprecated _blacklist attribute, which functions the same way.
So in your case:
blacklist = *.tar.gz
The docs at http://docs.splunk.com/Documentation/Splunk/6.0/admin/Inputsconf show under the Monitor section:
blacklist =
* If set, files from this input are NOT monitored if their path matches
the specified regex.
* Takes precedence over the deprecated _blacklist attribute, which functions the same way.
So in your case:
blacklist = *.tar.gz
Don't forget to mark it as accepted/answered!
Nice.. Thank you