I have 3 different event types :

2017-02-08T08:55:32,704 [host;app1;http-bio-8115-exec-5;[[xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx] (git:stuff) text                                                       WARN  -  message1
2017-02-08T08:55:30,262 [host;app2; Pitt][generic][T#1];[[xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx] (git:stuff) text                                              WARN  -  message2
2017-02-08T08:55:29,227 [host;app3;AsyncTaskExecutor-10;[[xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx] (git:stuff) text                                                        WARN  -  message3

inputs.conf contains

[monitor:///log/*.log]
disabled = false
sourcetype = log4j
blacklist = /\S[WARN]/g

Events still get indexed. Please help with some direction.

Thank you in advance.