It is also possible to use a blacklist and whitelist pattern for more complicated patterns. The most common use case is to blacklist files that should not be indexed, for instance, gz and zip files. This can be done as follows:
[monitor:///opt/B/logs/access.log*] sourcetype=access blacklist=.*.gz
This stanza will still match access.log.2012-08-30, but if we had a script that compressed older logs, Splunk will not try to read access.log.2012-07-30.gz.
Conversely, you can use a whitelist to apply very specific patterns, as shown here:
[monitor:///opt/applicationserver/logs] sourcetype=application_logs whitelist=(app|application|legacy|foo).log(.d{4})? blacklist=.*.gz
This whitelist will match app.log, application.log ...