I am having an issue with one of my monitor stanza in inputs.conf. The stanza is as below:
[monitor://E:Speech\Tomcat2232\logs\abc-call-router.log] index = x sourcetype = y blacklist = .(gz|tar|tgz|zip|bkz|arch|etc|tmp|swp|nfs|swn)$ disabled = 0
So I am expecting the above monitor to only ingest E:\Speech\Tomcat2232\logs\abc-call-router.log but it is also igesting E:\Speech\Tomcat2232\logs\abc-call-router.log.1 and E:\Speech\Tomcat2232\logs\abc-call-router.log.2 which I don't want to happen.
Does anyone knows why it is happening.?
I have been scratching my head. Any help appreciated.
I'm not sure if these helps bt at lest you should fix those.
[monitor://E:\Speech\Tomcat2232\logs\abc-call-router.log] blacklist = \.(gz|tar|tgz|zip|bkz|arch|etc|tmp|swp|nfs|swn)$
As backlist is a regular expression you must escape . as \. Also you should add missing \ after drive letter.
You could se splunk btool inputs list --debug to check how splunk UF sees this stanza and where it takes those definitions.