I have a group of hosts that use the blacklist function in a monitor stanza in inputs.cong. Here is the referenced stanza:
[monitor:///usr/Interwoven/LiveSiteDisplayServices/runtime/tomcat/logs/*.log]
sourcetype = log4j
source = sfo-lsds-log
index = tnt13
blacklist = (http-client\.log$|globalsession\.log$|snapfish\.log$|livesite-runtime\.log$|catalina\.out$)
All of the logs in the blacklist do NOT get indexed to the referenced index (tnt13) in the stanza, but do get indexed to Main.
I have also tried the following, but the issue of events indexing to main persists:
[monitor:///usr/Interwoven/LiveSiteDisplayServices/runtime/tomcat/logs/]
sourcetype = log4j
source = sfo-lsds-log
index = tnt13
blacklist = http-client\.log$|globalsession\.log$|snapfish\.log$|livesite-runtime\.log$|catalina\.out$
Also of note, the source defined in the stanza does not appear to apply to the events as indexed in tnt13 or main.
↧