I am having an issue with one of my monitor stanza in inputs.conf. The stanza is as below:
[monitor://E:Speech\Tomcat2232\logs\abc-call-router.log]
index = x
sourcetype = y
blacklist = .(gz|tar|tgz|zip|bkz|arch|etc|tmp|swp|nfs|swn)$
disabled = 0
So I am expecting the above monitor to only ingest E:\Speech\Tomcat2232\logs\abc-call-router.log but it is also igesting E:\Speech\Tomcat2232\logs\abc-call-router.log.1 and E:\Speech\Tomcat2232\logs\abc-call-router.log.2 which I don't want to happen.
Does anyone knows why it is happening.?
I have been scratching my head. Any help appreciated.
Thanks.
Hi
I'm not sure if these helps bt at lest you should fix those.
[monitor://E:\Speech\Tomcat2232\logs\abc-call-router.log]
blacklist = \.(gz|tar|tgz|zip|bkz|arch|etc|tmp|swp|nfs|swn)$
As backlist is a regular expression you must escape . as \. Also you should add missing \ after drive letter.
You could se splunk btool inputs list --debug to check how splunk UF sees this stanza and where it takes those definitions.
r. Ismo
Hi @isoutamo ,
Thank you for the answer and trying to help me.
I have added escape ./ in blacklist. Since it is windows box so there shouldn't be third / after drive letter.