https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-Configuration/m-p/351532#M64462 <P>Hi</P> <P>Which one of below will work</P> <P>whitelist=.log$ or whitelist=*.log</P> <P>one more thing</P> <P>I have some log file with timestamp as well. </P> <P>like pqr.log.10/12/2017</P> <P>I want to includes these files as well.</P> <P>What I need is</P> <P>abc.log<BR /> xyz.log<BR /> pqr.log.10/11/2017</P> <P>what i don't want<BR /> abc.log.1<BR /> xyz.log.1</P> <P>Please can you provide configuration for this scenario.</P> <P>Thanks<BR /> Nikks</P> Fri, 04 Aug 2017 08:44:39 GMT nilaksh92 2017-08-04T08:44:39Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-Configuration/m-p/351530#M64460 <P>Hi Everyone,</P> <P>Need some help on configuration of Splunk forwarder.</P> <P>I have multiple log files under a directory. So, I have pointed the directory to fetch all logs from all file.</P> <P>Is that correct way?</P> <P>Now I have one requirement,</P> <P>Under that directory "Nikks", I have log file named like</P> <P>Log Files:-</P> <P>abc.log<BR /> abc.log.1<BR /> abc.log.2<BR /> xyz.log<BR /> xyz.log.1<BR /> xyz.log.2</P> <P>Like this I have lot of sets of log files under same directory.</P> <P>I just want to sent logs from abc.log and xyz.log to splunk.</P> <P>I don't need events from abc.log.1, abc.log.2 etc.</P> <P>Please let me know how to configure the forwarder for this scenario.</P> <P>Thanks in Advance<BR /> Nikks</P> Fri, 04 Aug 2017 08:02:31 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-Configuration/m-p/351530#M64460 nilaksh92 2017-08-04T08:02:31Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-Configuration/m-p/351531#M64461 <P>The <A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf">inputs documentation</A> has many configuration options you could use, in your case you could:</P> <UL> <LI>Create a monitor:/// stanza for each file you want </LI> <LI>Use the whitelist stanza with your existing directory reference: whitelist=\.log$</LI> <LI>Use the blacklist stanza and exclude files you do not want.</LI> </UL> <P>I would use the whitelist option in your scenario if you are happy with either not hardcoding the sourcetype in the inputs.conf <EM>or</EM> having a single sourcetype for all the files.</P> <P>Any of the options listed could work.</P> Fri, 04 Aug 2017 08:14:58 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-Configuration/m-p/351531#M64461 gjanders 2017-08-04T08:14:58Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-Configuration/m-p/351532#M64462 <P>Hi</P> <P>Which one of below will work</P> <P>whitelist=.log$ or whitelist=*.log</P> <P>one more thing</P> <P>I have some log file with timestamp as well. </P> <P>like pqr.log.10/12/2017</P> <P>I want to includes these files as well.</P> <P>What I need is</P> <P>abc.log<BR /> xyz.log<BR /> pqr.log.10/11/2017</P> <P>what i don't want<BR /> abc.log.1<BR /> xyz.log.1</P> <P>Please can you provide configuration for this scenario.</P> <P>Thanks<BR /> Nikks</P> Fri, 04 Aug 2017 08:44:39 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-Configuration/m-p/351532#M64462 nilaksh92 2017-08-04T08:44:39Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-Configuration/m-p/351533#M64463 <P>I would suggest a website like <A href="http://regex101.com">http://regex101.com</A> could be used for testing any regular expression.</P> <P>So you could do:<BR /> whitelist = \.log(\.\d+/\d+/\d+)?$</P> <P>Or you could make a blacklist for \.[123456789]$</P> <P>The $ matches end of line however *.log would likely work</P> Fri, 04 Aug 2017 08:49:38 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Forwarder-Configuration/m-p/351533#M64463 gjanders 2017-08-04T08:49:38Z