I am using the standard 'Splunk_TA_nix' deploy-app on all of my Linux agents. Now, we are starting to deploy Cortex XDR and the local /var/log/traps/traps.pmd log is extremely verbose and unnecessary to collect in Splunk; it's already being collected by the Cortex XDR console.
How do I blacklist that one log-file without editing the original deploy-app?
I have tried creating an additional deploy-app which specifies that folder, then blacklists that file, but it doesn't work. Maybe I have a typo (see below) but my suspicion is that there's a precedence issue, i.e., I can't modify the input stanza from the first deploy-app?
MY NEW DEPLOY-APP's INPUT.CONF
[monitor:///var/log/traps/]
blacklist = traps.pmd
recursive=false
disabled = false
index = os
sourcetype = syslog