I did read up on multisearch, but it seems it would collide with the dedups and transactions, right? ... View more

What about using a either the whitelist or blacklist option for the monitor stanza? http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Specifyinputpathswithwildcards http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Whitelistorblacklistspecificincomingdata [monitor:///path/*/logfile.log] blacklist = [Uu]nwanted[Hh]ost[Rr]egex[0-9]/logfile.log$ OR [monitor:///path/*/logfile.log] whitelist = /path/goodhost[0-9]/logfile.log$|/path/this[4-9]host/logfile.log$ ... View more

I almost suspected that. Thanks for summarizing my options ... "host" and "source" won't work because those are outside my jurisdiction (I don't own the monitorees) and I agree, abusing "sourcetype" for that purpose would harm "sourcetype" as a more or less well-known concept in my Splunk deployment. ... View more

This is possible, and supported, however it will be tricky if you wish to UPDATE the lookups post deploy via the deployment server. There is a deployment server option to exclude folders/files from updates: excludeFromUpdate = $app_root$/lookups This will populate the lookups directory if it doesn't exist, but if the app already has a lookups folder it will completely ignore it. If you have a single lookup file that you wish to exclude from the deployment server, you should be able to specify that particular lookup: excludeFromUpdate = $app_root$/lookups/mylookup.csv Hope this helps, Jim Goddard ... View more

nice, thanks for sharing! Will come in handy 🙂 ... View more