Can any one help how to blacklist a file , the file is monitored and linked in two stanzas
can you please update us your inputs.conf..
Blacklist (ignore) files
To define the files you want to exclude from indexing, add the following line to your monitor stanza in the /local/inputs.conf file for the app this input was defined in:
blacklist = <your_custom_regex>
If you create a blacklist line for each file you want to ignore, Splunk software activates only the last filter.
To ignore and not monitor only files with the .txt extension:
blacklist = \.txt$
To ignore and not monitor all files with either the .txt extension OR the .gz extension (note that you use the "|" for this):
blacklist = \.(?:txt|gz)$
To ignore entire directories beneath a monitor input refer to this example:
blacklist = archive|historical|\.bak$
This example tells Splunk software to ignore all files under /mnt/logs/ within the archive or historical directories and all files ending in *.bak.
To ignore files whose names contain a specific string, you can do:
blacklist = 2009022file\.txt$
This example ignores the webserver20090228file.txt and webserver20090229file.txt files under /mnt/logs/.