https://community.splunk.com/t5/Getting-Data-In/whitelist-syntax-inputs-conf/m-p/38866#M7185 <P>I'd like to index files in /DIR/autosys/logs as below;</P> <P>Linux equivalent:<BR /> cd /DIR/autosys/logs<BR /> ls app*ua1*START_MT*</P> <P>Please can someone help me correct below:</P> <P>[monitor:///DIR/autosys/logs]<BR /> whitelist = app\ua1\STOP_MT\$<BR /> disabled = false<BR /> index = test_index</P> Mon, 28 Sep 2020 13:56:16 GMT nathanlhopkins 2020-09-28T13:56:16Z https://community.splunk.com/t5/Getting-Data-In/whitelist-syntax-inputs-conf/m-p/38866#M7185 <P>I'd like to index files in /DIR/autosys/logs as below;</P> <P>Linux equivalent:<BR /> cd /DIR/autosys/logs<BR /> ls app*ua1*START_MT*</P> <P>Please can someone help me correct below:</P> <P>[monitor:///DIR/autosys/logs]<BR /> whitelist = app\ua1\STOP_MT\$<BR /> disabled = false<BR /> index = test_index</P> Mon, 28 Sep 2020 13:56:16 GMT https://community.splunk.com/t5/Getting-Data-In/whitelist-syntax-inputs-conf/m-p/38866#M7185 nathanlhopkins 2020-09-28T13:56:16Z https://community.splunk.com/t5/Getting-Data-In/whitelist-syntax-inputs-conf/m-p/38867#M7186 <P>This should work:</P> <PRE><CODE>[monitor:///DIR/autosys/logs] whitelist = app.*ua1.*START_MT.*$ disabled = false index = test_index </CODE></PRE> <P>Also, this should work just as well:</P> <PRE><CODE>[monitor:///DIR/autosys/logs/app*ua1*START_MT*] disabled = false index = test_index </CODE></PRE> <HR /> <P>Whitelists and blacklists are just regular expressions. The equivalent to a <CODE>*</CODE> glob (shell expansion) is <CODE>".*"</CODE>. The best way to visualize how whitelists/blacklists work from a unix point of view is</P> <PRE><CODE>find $STARTDIR -print | egrep "$WHITELIST" | egrep -v "$BLACKLIST" </CODE></PRE> Sun, 19 May 2013 01:11:43 GMT https://community.splunk.com/t5/Getting-Data-In/whitelist-syntax-inputs-conf/m-p/38867#M7186 dwaddle 2013-05-19T01:11:43Z https://community.splunk.com/t5/Getting-Data-In/whitelist-syntax-inputs-conf/m-p/38868#M7187 <P>sorry - something seems to be wrong with pasting into these boxes - i'm after:</P> <P>ls app*ua1*START_MT*</P> Mon, 28 Sep 2020 13:56:19 GMT https://community.splunk.com/t5/Getting-Data-In/whitelist-syntax-inputs-conf/m-p/38868#M7187 nathanlhopkins 2020-09-28T13:56:19Z https://community.splunk.com/t5/Getting-Data-In/whitelist-syntax-inputs-conf/m-p/38869#M7188 <P>sorry - I didn't realise markdown was removing my *'s - i'm after: ls app*ua1*START_MT*</P> Sun, 19 May 2013 21:35:49 GMT https://community.splunk.com/t5/Getting-Data-In/whitelist-syntax-inputs-conf/m-p/38869#M7188 nathanlhopkins 2013-05-19T21:35:49Z https://community.splunk.com/t5/Getting-Data-In/whitelist-syntax-inputs-conf/m-p/38870#M7189 <P>easiest way to deal with the markdown formatting is to actually use a code block (4 spaces)</P> Mon, 20 May 2013 04:21:09 GMT https://community.splunk.com/t5/Getting-Data-In/whitelist-syntax-inputs-conf/m-p/38870#M7189 dwaddle 2013-05-20T04:21:09Z https://community.splunk.com/t5/Getting-Data-In/whitelist-syntax-inputs-conf/m-p/38871#M7190 <P>Many thanks - I didn't really need the whitelist as you pointed out</P> Wed, 22 May 2013 19:19:11 GMT https://community.splunk.com/t5/Getting-Data-In/whitelist-syntax-inputs-conf/m-p/38871#M7190 nathanlhopkins 2013-05-22T19:19:11Z