Hi,

This is my very first question here. I was digging through this site, but did not find an answer to my issue. And the issue is, how do I monitor the same path in one app but with different sourcetypes? Currently, I have something like this:

[monitor:///logs/.../*.log]
index = abcd
sourcetype = sourcetype_a
blacklist = \/logs\/xyz

the above works, but with some date parsing issues.

And, because there are lots of files in this location, I don't want to list them all. I have figured out that some logs have a different time format. Therefore, I want to split it into a new monitor with the correct timestamp. So I did something like this:

[monitor:///logs/.../*.log]
index = abcd
sourcetype = sourcetype_a
blacklist = \/logs\/(xyz|dir1\/dir2\/logfile1\.log$|dir1\/dir2\/logfile2\.log$|dir1\/dir2\/logfile3\.log$|dir1\/di2\/logfile4\.log$|dir1\/dir2\/logfile5\.log$|dir1\/dir2\/logfile6\.log$|dir1\/dir3\/logfile7\.log$)

[monitor:///logs/.../*.log]
index = abcd
sourcetype = sourcetype_b
whitelist = \/logs\/(dir1\/dir2\/logfile1\.log$|dir1\/dir2\/logfile2\.log$|dir1\/dir2\/logfile3\.log$|dir1\/di2\/logfile4\.log$|dir1\/dir2\/logfile5\.log$|dir1\/dir2\/logfile6\.log$|dir1\/dir3\/logfile7\.log$)

And this solution does not work. No logs are available since the configuration has been pushed.

Can you please advise where am I wrong?

Thanks in advance,

Przemek