I've been struggling with this for several days now and cannot find a solution that works for me so I am turning to you all.

I simply want to exclude 2 files from a directory from being indexed. The two files exist on one of my Linux servers and are in the /var/log/httpd directory along with regular Apache log files that I DO want indexed. The two files to be excluded are 64080_access_log and 64080_error_log.

From what I have read, the solution should be to have a blacklist line in the inputs.conf file, which I have done in the /splunk/etc/apps/Splunk_TA_nix/local directory, and it looks like:

[monitor:///var/log/httpd]
blacklist=64080_access_log|64080_error_log
disabled = true

But this is not working. After a restart of Splunk, I am still seeing log data from the blacklisted files.

In case it's relevant, I have my main Splunk host that receives those logs, and does the indexing, and that is the host I have added the above code to. I also have a heavy forwarder setup as my Universal Forwarder deployment server, but it does not receive or process any log data. Am I right in adding the above code to the main Splunk server that is receiving the log data?

Many thanks.