https://community.splunk.com/t5/Getting-Data-In/Multiple-Whitelists/m-p/292303#M55688 <P>Thanks very much. In fact i went for the last option. </P> <P>Cheers</P> Mon, 03 Jul 2017 22:37:03 GMT robertlynch2020 2017-07-03T22:37:03Z https://community.splunk.com/t5/Getting-Data-In/Multiple-Whitelists/m-p/292301#M55686 <P>Hi</P> <P>I have the following two inputs in inputs.conf. They both work separably but not together.</P> <PRE><CODE>**Working** [monitor:///net/dell428srv/data2/apps/mx_ox62148_191418/logs_latest_17052017-064938.../*.log] disabled = false host = MXTIMING_TEST1_DELL428SRV index = mlc_live whitelist = mxtiming_(?&lt;FULL_STRING&gt;\d*_[^_]*_\d*)\.log crcSalt = &lt;SOURCE&gt; sourcetype = MX_TIMING **Working** [monitor:///net/dell428srv/data2/apps/mx_ox62148_191418/logs_latest_17052017-064938.../*.log] disabled = false host = MXTIMING_TEST1_DELL428SRV index = mlc_live whitelist = mxtiming_(?&lt;FULL_STRING&gt;[^_]*_[^_]*_\d*_[^_]*_\d*)\.log crcSalt = &lt;SOURCE&gt; sourcetype = MX_TIMING </CODE></PRE> <P>When i try to add them together with a | nothing works, i have a few to add so i don't want to have to keep copying this code</P> <PRE><CODE> **NOT_WORKING** [monitor:///net/dell428srv/data2/apps/mx_ox62148_191418/logs_latest_17052017-064938.../*.log] disabled = false host = MXTIMING_TEST1_DELL428SRV index = mlc_live whitelist = mxtiming_(?&lt;FULL_STRING&gt;\d*_[^_]*_\d*)\.log|mxtiming_(?&lt;FULL_STRING&gt;[^_]*_[^_]*_\d*_[^_]*_\d*)\.log crcSalt = &lt;SOURCE&gt; sourcetype = MX_TIMING </CODE></PRE> <P>Any ideas would be great <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 30 Jun 2017 11:42:14 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-Whitelists/m-p/292301#M55686 robertlynch2020 2017-06-30T11:42:14Z https://community.splunk.com/t5/Getting-Data-In/Multiple-Whitelists/m-p/292302#M55687 <P>Two things. First, your regex is invalid, you define FULL_STRING twice, which is not allowed in a regex. Since you aren't using a named capture group later, just get rid of it.</P> <P>Second, parenthesis will be your friend. Try:</P> <PRE><CODE>whitelist = (mxtiming_(\d*_[^_]*_\d*)\.log)|(mxtiming_([^_]*_[^_]*_\d*_[^_]*_\d*)\.log)) </CODE></PRE> <P>But, you can't make it better:</P> <PRE><CODE>whitelist = mxtiming_((\d*_[^_]*_\d)|([^_]*_[^_]*_\d*_[^_]*_\d*))\.log </CODE></PRE> <P>I'm not sure why you don't just use:</P> <PRE><CODE>whitelist = mxtiming_.*\.log </CODE></PRE> <P>Which should work just as well, if you don't have a third name that uses mxtiming_*.log.</P> Fri, 30 Jun 2017 12:21:38 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-Whitelists/m-p/292302#M55687 cpetterborg 2017-06-30T12:21:38Z https://community.splunk.com/t5/Getting-Data-In/Multiple-Whitelists/m-p/292303#M55688 <P>Thanks very much. In fact i went for the last option. </P> <P>Cheers</P> Mon, 03 Jul 2017 22:37:03 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-Whitelists/m-p/292303#M55688 robertlynch2020 2017-07-03T22:37:03Z https://community.splunk.com/t5/Getting-Data-In/Multiple-Whitelists/m-p/292304#M55689 <P>It is the easiest and will match other file names if they happen to change any in the future. I find it best to do that simplest version whenever possible. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 03 Jul 2017 22:42:22 GMT https://community.splunk.com/t5/Getting-Data-In/Multiple-Whitelists/m-p/292304#M55689 cpetterborg 2017-07-03T22:42:22Z