I have removed a sourcetype from my inputs.conf
[monitor:///data01/.../current/logs/*.log]
disabled = 0
sourcetype = log4j
index = oms
blacklist = gc\.(web|Node)[1-4]\.log
It's been changed to split up the sourcetypes as follows
[monitor:///data01/.../current/logs/fxoms*.log]
disabled = 0
sourcetype = oms
index = oms
blacklist = gc\.(web|Node)[1-4]\.log
[monitor:///data01/.../current/logs/fxlm*.log]
disabled = 0
sourcetype = lm
index = oms
blacklist = gc\.(web|Node)[1-4]\.log
[monitor:///data01/.../current/logs/tomcat*.log]
disabled = 0
sourcetype = tomcat
index = oms
blacklist = gc\.(web|Node)[1-4]\.log
[monitor:///data01/.../current/logs/*gc*.log]
disabled = 0
sourcetype = sun_jvm
crcSalt =
index = jmx
[monitor:///data01/app/oms-holiday-adapter/current/logs/*.log]
disabled = 0
sourcetype = oms
index = oms
[monitor:///data01/app/oms-client-account-adapter/current/logs/*.log]
disabled = 0
sourcetype = oms
index = oms
I have restarted the forwarder and can now see the 3 new sourcetypes ln oms and tomcat, but I am still getting a couple of log files being ingested with the sourcetype log4j.
There is no longer any reference to log4j in the config on the host
How is it doing this?