I have an inputs.conf file that has multiple monitor stanzas and it appears that the blacklist used on one of the stanzas is being applied to all ...
My aim is to have 4 sourcetypes for the same index with the last sourcetype (search) not showing the logs from the first 3 logs.
Testing locally worked wonders -- grabbed all logs and put them all in their respective sourcetypes and filtered the blacklisted elements from the 4th
**BUT**
when being processed through to the Universal Forwarder, the blacklist seems to be overriding the entire file thus never getting the applications, server, or audit logs
inputs.conf
`[monitor:///data/web/defaultroot/newlogs/test/applications.log]
index=test
sourcetype=applications
disabled=0
[monitor:///data/web/defaultroot/newlogs/test/server.log]
index=test
sourcetype=server
disabled=0
[monitor:///data/web/defaultroot/newlogs/test/audit.log]
index=test
sourcetype=audit
disabled=0
[monitor:///data/web/defaultroot/newlogs/test/*.log]
index=test
sourcetype=search
disabled=0
blacklist1=*gz
blacklist2=applications*
blacklist3=server*
blacklist4=audit*`
↧