I have seen a few regex examples on this and I have used the regex tools online to test my regex to blacklist files that begin with a period (.) yet this example is not working.
example of inputs
index = index
sourcetype = sourcetype
blacklist = ^\.\S
example filename = .filename.syslog.2021-01-01
Thanks for the quick reply Jacob. While that didnt work for our specific case I do appreciate the response. In the end, and I am usure why TBH, this is whats currently in place and working for us to blacklist files that start with a dot (.)
blacklist = \/dir\/dir\/syslog\/\.\S+
You have the ^\. part of the regex correct, but \S is matching a single non-whitespace character as seen here. I assume what you are really going for is ^\.\S*, but it would be more accurate to use ^\..* to blacklist every single file that either is a . or starts with one (see that here). The difference is that using \S* would not blacklist files that start with a . but have a space in them.
(Sorry for the bad formatting. Splunk is throwing all kinds of errors when I try to properly format the text)