I'm trying to exclude a specific file called catalina.out in /var/log/tomcat9/ from being processed by Splunk. The file is being sent to my heavy forwarder and I have the following in inputs.conf
[monitor:///var/log/tomcat9]
blacklist=(catalina\.out)
disabled = 0
The data continues to be processed. What am I missing?
Despite being a regular expression, there's no need to escape dots in blacklist or whitelist. There's no need for a capture group, either.
[monitor:///var/log/tomcat9]
blacklist = catalina.out
disabled = 0
Don't forget to specify an index and sourcetype in the inputs.conf stanza.
Thanks @richgalloway . I've removed the escape and added the index and source as suggested but that data is still appearing.
[monitor:///var/log/tomcat9]
blacklist= catalina.out
index= main
source= catalina.out
disabled = 0
Can the order of the monitor statements have an impact? For example could a preceding statement override this statement if the previous statement is for ///var/log but does not specifically reference tomcat9?
Stanza order may be significant. Try swapping them.