topic Re: In inputs.conf whitelist, how do I create a regex expression for whitelisting files which contain a certain string? in Getting Data In

In inputs.conf whitelist, how do I create a regex expression for whitelisting files which contain a certain string?

coreyf311 — Tue, 29 Sep 2020 21:38:58 GMT

I need to whitelist files that contain a string in any case and in any place in the filename. And, they can either be .txt or .csv. For example.....any file that contains the string "termite"

termite.txt or termite.csv or TERMite.txt or october_termite_file01.csv

I got "/termite/gmi" from regex 101 but does not seem to work in inputs.conf whitelist.

Re: In inputs.conf whitelist, how do I create a regex expression for whitelisting files which contain a certain string?

nick405060 — Thu, 18 Oct 2018 18:14:14 GMT

Try <field>=%(?i)[\s\S]*termite[\s\S]*%

It's been a while but as I remember inputs.conf doesn't allow quotation marks when using regexs, or . as a wildcard. The above regex worked for me (minus the (?i) for case, but that should be okay for you) for blacklisting. See:

https://answers.splunk.com/answers/671735/why-is-blacklisting-windows-event-logs-on-a-deploy-1.html

Re: In inputs.conf whitelist, how do I create a regex expression for whitelisting files which contain a certain string?

sudosplunk — Thu, 18 Oct 2018 18:34:42 GMT

How about this whitelist = (?i)termite

Re: In inputs.conf whitelist, how do I create a regex expression for whitelisting files which contain a certain string?

coreyf311 — Mon, 22 Oct 2018 14:58:44 GMT

Thank you for all the suggestions. Here is what I came up with. I ended up needing multiple strings in the whitelist. I realize there are probably other ways but this one works for me.

whitelist = (.*string.*|.*otherstring.*|.*something.*)