Getting Data In

## Any ideas on how I can exclude the diagnostic file from sourcetype a but then include in sourcetype b?

Loves-to-Learn

I have 2 files I want to monitor for in the same directory with 2 different sourcetypes. My issue is both files are being picked up by sourcetype a because of the wildcard. The wildcard is needed for the dates that follow the log name. I tried blacklisting the diagnostic file from sourcetype a but that did not work.

[monitor://E:\path\to\log\directory\HFMWeb*-diagnostic.log]
sourcetype = <sourcetype b>
disabled = false
index = <index>
crcSalt = <SOURCE>

[monitor://E:\path\to\log\directory\HFMWeb*.log]
sourcetype = <sourcetype a>
disabled = false
index = <index>
crcSalt = <SOURCE>
blacklist = \-diagnostic

Any ideas on how I can exclude the diagnostic file from sourcetype a but then include in sourcetype b?

Labels (2)

• ### sourcetype

Builder

You could follow example 3 or 4 listed in the below manual.

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata

Hope this info helps.

Thanks

Loves-to-Learn

Hi @Splunker96 - Thank you for your response. Unfortunately, I did try blacklisting the file from sourcetype a but that didn't seem to work. When I search for sourcetype b, I don't get any results.

Get Updates on the Splunk Community!

#### Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

#### Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

#### Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...