can you please update us your inputs.conf..
Blacklist (ignore) files
To define the files you want to exclude from indexing, add the following line to your monitor stanza in the /local/inputs.conf file for the app this input was defined in:
blacklist = <your_custom_regex>
If you create a blacklist line for each file you want to ignore, Splunk software activates only the last filter.
To ignore and not monitor only files with the .txt extension:
[monitor:///mnt/logs]
blacklist = \.txt$
To ignore and not monitor all files with either the .txt extension OR the .gz extension (note that you use the "|" for this):
[monitor:///mnt/logs]
blacklist = \.(?:txt|gz)$
To ignore entire directories beneath a monitor input refer to this example:
[monitor:///mnt/logs]
blacklist = archive|historical|\.bak$
This example tells Splunk software to ignore all files under /mnt/logs/ within the archive or historical directories and all files ending in *.bak.
To ignore files whose names contain a specific string, you can do:
[monitor:///mnt/logs]
blacklist = 2009022[89]file\.txt$
This example ignores the webserver20090228file.txt and webserver20090229file.txt files under /mnt/logs/.
thanks and best regards,
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
