Can I use blacklist in a batch stanza? I couldn't find anything in the documentation saying otherwise.
Thanks,
The answer is actually yes, you should be able to use white & blacklist settings for sinkhole directories (batch inputs). The underlying logic is the same for both monitor and batch inputs, the only difference being that batch is destructive and will delete your data.
I'll get the docs updated to reflect this.
The answer is actually yes, you should be able to use white & blacklist settings for sinkhole directories (batch inputs). The underlying logic is the same for both monitor and batch inputs, the only difference being that batch is destructive and will delete your data.
I'll get the docs updated to reflect this.
According to what I read, the answer is no.
"Use whitelist and blacklist rules to explicitly tell Splunk which files to consume when monitoring directories."
http://www.splunk.com/base/Documentation/4.1.2/Admin/Whitelistorblacklistspecificincomingdata