Watching: /var/log (across 6 servers)
Result: still uploads at least a gig of /var/log/audit/audit.log every day. I feel like I've tried everything (tweaking the regular expression, restarting Splunk, waiting)
I'd try this
blacklist = (?i:.*?\/audit\/.*$|.*\.gz$)
The initial flag just sets it case insensitive. Then we have a choice of either any name with "/audit/" anywhere in it, lazy before, greedy after, or any file ending in .gz, greedy before because we're only backtracking at the end-of-field marker and that won't take long.
Most of the answer came from here...
and here ...
So I tried that in the web interface, but I'm not seeing it change anything. I say that because when I search source=/var/log/audit/audit.log it shows contents still being uploaded. Is there something I'd have to do to make this take effect? Again, I'm only using the web interface so far.