We've ~1000 directories in path and we want to monitor only a few selected directories. I tried to use the whitelist, voiding multiple monitoring stanzas. But it doesn't seem to work. I have verified this by running ./splunk list monitor on the forwarder. Here BX187898, BX676909 are directories in /enc_logs-ep3/bker and have log files in those directories.
Need assistance with the whitelist directories. I have tried with two directories, but I will have a few more added.
[monitor:///enc_logs-ep3/bker]
disabled = false
index = enc_logs
whitelist = (BX187898|BX676909)
host_regex = \S+(EP.*).\d{4}
sourcetype = enc
ignoreOlderThan = 3d
Thanks
↧