I have seen a few regex examples on this and I have used the regex tools online to test my regex to blacklist files that begin with a period (.) yet this example is not working.
example of inputs
[monitor:///dir/dir/dir/syslog]
index = index
sourcetype = sourcetype
host_regex=syslog\/(?P<host>.*)\.syslog
blacklist = ^\.\S
example filename = .filename.syslog.2021-01-01
Thanks for the quick reply Jacob. While that didnt work for our specific case I do appreciate the response. In the end, and I am usure why TBH, this is whats currently in place and working for us to blacklist files that start with a dot (.)
blacklist = \/dir\/dir\/syslog\/\.\S+
You have the ^\. part of the regex correct, but \S is matching a single non-whitespace character as seen here. I assume what you are really going for is ^\.\S*, but it would be more accurate to use ^\..* to blacklist every single file that either is a . or starts with one (see that here). The difference is that using \S* would not blacklist files that start with a . but have a space in them.
(Sorry for the bad formatting. Splunk is throwing all kinds of errors when I try to properly format the text)
sady its not working for me. I have also tried something more specific and still no joy.
blacklist = /dir/dir/dir/syslog/.*
and
blacklist = \/dir\/dir\/dir\/syslog\/\..*