I've tried a bunch of different things on my Forwarder to get it to watch 2 different paths, and blacklist one folder within the second path, and nothing is working. What is the recommended solution for getting the forwarder to watch these two paths:
/var/log
/Library/Logs
and blacklist /Library/Logs/CrashPlan?
my current inputs.conf contains this.
[default]
host = one.example.com
[monitor:///var/log]
I've read the documentation and tried regex a handful of different ways but can't get it to work. I'm using the latest release.
I'm making a change, then restarting the forwarder, then running this to confirm if it's working or not:
/Applications/splunkforwarder/bin/splunk list monitor
Thanks!
You could also make use of the 'recurse' attribute - see;
http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf
[default]
host = one.example.com
[monitor:///var/log]
sourcetype=xxx
[monitor:///Library/Logs]
sourcetype=yyy
recurse = false
/K
thanks for your response. that's good to know... in this case though there are other directories within /Library/Logs/* that I do want it to use.
This seems to have worked.
[default]
host = one.example.com
[monitor:///var/log]
[monitor:///Library/Logs]
blacklist = CrashPlan*
I think I had
blacklist=*CrashPlan*
before and that didn't work.