https://community.splunk.com/t5/Splunk-Search/How-is-regex-in-whitelist-of-inputs-monitor-for-indexing-file-to/m-p/372472#M109546 <P>I try to index sybase logs which are located in /sybase/SID/ASE-1(5|6)_0/install/SID.log (SID is variable System-ID)</P> <P>In Whitelist i only want to monitor files with FL2.log or ACE.log normal regex should be ^[A-Z0-9]{3}.log$</P> <P>I will use following monitor-stanza on Universal Forwarder:</P> <PRE><CODE>[monitor:///sybase/*/ASE-1*_0/install/] whitelist=^[A-Z0-9]{3}\.log$ sourcetype=source_sybase index=ios_db _TCP_ROUTING=splunk_main disabled=false </CODE></PRE> <P>But then nothing is indexed.</P> <P>If I use the same stanza without the ^(anchor), then too many files like SID.log or SID_JSAGENT.log are indexed.</P> <PRE><CODE>[monitor:///sybase/*/ASE-1*_0/install/] whitelist=[A-Z0-9]{3}\.log$ sourcetype=source_sybase index=ios_db _TCP_ROUTING=splunk_main disabled=false </CODE></PRE> <P>Does someone have an idea why this is not working or is this a bug in splunk?</P> Fri, 24 Mar 2017 09:04:28 GMT klowk 2017-03-24T09:04:28Z https://community.splunk.com/t5/Splunk-Search/How-is-regex-in-whitelist-of-inputs-monitor-for-indexing-file-to/m-p/372472#M109546 <P>I try to index sybase logs which are located in /sybase/SID/ASE-1(5|6)_0/install/SID.log (SID is variable System-ID)</P> <P>In Whitelist i only want to monitor files with FL2.log or ACE.log normal regex should be ^[A-Z0-9]{3}.log$</P> <P>I will use following monitor-stanza on Universal Forwarder:</P> <PRE><CODE>[monitor:///sybase/*/ASE-1*_0/install/] whitelist=^[A-Z0-9]{3}\.log$ sourcetype=source_sybase index=ios_db _TCP_ROUTING=splunk_main disabled=false </CODE></PRE> <P>But then nothing is indexed.</P> <P>If I use the same stanza without the ^(anchor), then too many files like SID.log or SID_JSAGENT.log are indexed.</P> <PRE><CODE>[monitor:///sybase/*/ASE-1*_0/install/] whitelist=[A-Z0-9]{3}\.log$ sourcetype=source_sybase index=ios_db _TCP_ROUTING=splunk_main disabled=false </CODE></PRE> <P>Does someone have an idea why this is not working or is this a bug in splunk?</P> Fri, 24 Mar 2017 09:04:28 GMT https://community.splunk.com/t5/Splunk-Search/How-is-regex-in-whitelist-of-inputs-monitor-for-indexing-file-to/m-p/372472#M109546 klowk 2017-03-24T09:04:28Z https://community.splunk.com/t5/Splunk-Search/How-is-regex-in-whitelist-of-inputs-monitor-for-indexing-file-to/m-p/372473#M109547 <P>Remember, the regex is matching against ANY PART OF the incoming file name, including the directory. The same regex DOES match those <CODE>SID_JSAGENT.log</CODE> files ... the <CODE>ENT.log</CODE> part. </P> <P>Try this...</P> <PRE><CODE> whitelist=\/[A-Z0-9]{3}\.log$ </CODE></PRE> <HR /> <P>updated to escape the slash.</P> Fri, 24 Mar 2017 15:21:34 GMT https://community.splunk.com/t5/Splunk-Search/How-is-regex-in-whitelist-of-inputs-monitor-for-indexing-file-to/m-p/372473#M109547 DalJeanis 2017-03-24T15:21:34Z https://community.splunk.com/t5/Splunk-Search/How-is-regex-in-whitelist-of-inputs-monitor-for-indexing-file-to/m-p/372474#M109548 <P>Yes that is correct i forgot that is the complete file name with directory. In your answer is only missing the escape before the backslash. Following is working for me:</P> <PRE><CODE>[monitor:///sybase/*/ASE-1*_0/install/] whitelist=\/[A-Z0-9]{3}\.log$ sourcetype=source_sybase </CODE></PRE> <P>Thanks for your answer.</P> Mon, 27 Mar 2017 09:35:10 GMT https://community.splunk.com/t5/Splunk-Search/How-is-regex-in-whitelist-of-inputs-monitor-for-indexing-file-to/m-p/372474#M109548 klowk 2017-03-27T09:35:10Z https://community.splunk.com/t5/Splunk-Search/How-is-regex-in-whitelist-of-inputs-monitor-for-indexing-file-to/m-p/372475#M109549 <P>updated. Please accept the answer so that the question will show complete.</P> Mon, 27 Mar 2017 14:59:59 GMT https://community.splunk.com/t5/Splunk-Search/How-is-regex-in-whitelist-of-inputs-monitor-for-indexing-file-to/m-p/372475#M109549 DalJeanis 2017-03-27T14:59:59Z