Splunk Support came up with a regex that works:
proc = ^(?:(?!ExeNameGoesHere).)*$
Splunk Support came up with a regex that works:
proc = ^(?:(?!ExeNameGoesHere).)*$
for context, please see the other Answer to this question.
Yes. See this document, and be sure to select the your Splunk version in the upper right.
http://docs.splunk.com/Documentation/Splunk/5.0.5/admin/Regmon-filtersconf
Generally speaking, to exclude splunkd.exe you add a custom stanza at the global level and include a regular expression EXCEPT for splunkd.exe for the proc attribute. The way the proc filter works to send everything that matches through, and it drops everything that does not match.
no luck yet... opened a support case
proc = ^\(?!splunk\.exe).*$
I've gone through a few, but here's the latest one I got from someone at Splunk:
proc = (.(?!\splunkd.exe).)
There are stars after the dots, but they aren't showing up in the comment.
What is your regex?
I've seen the docs. A negative regular expression does not seem to have any impact. Is it supposed to work?
this assumes you are using a version of splunk older than 6.0. if you're using 6.0, the same procedure applies, but all the changes should be made in a local copy of inputs.conf