topic Re: whitelist regex help with multiple strings in Splunk Search

whitelist regex help with multiple strings

joesrepsolc — Tue, 29 Sep 2020 23:46:14 GMT

Trying to build a rather simple inputs.conf (or so i thought) to grab two statis named files, and the last file has a date built in, so I want to get them all, and any new ones that get created moving forward. I only need help with the whitelist part of the inputs, but can't seem to figure out the combo to get this to work.

catalina.out
vpAppLogClient.log
localhost_access_log.2019-03-19.txt (this one changes everyday)

[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = /catalina.out$|/vpAppLogClient.log$|?????

Apprecaite the help everyone!!!

Re: whitelist regex help with multiple strings

whrg — Wed, 20 Mar 2019 08:07:48 GMT

Hello @joesrepsolc,

I think it is easier here to create multiple monitor stanzas without the whitelist option:

[monitor:///opt/web/tomcatA/logs/catalina.out]
index = web
...

[monitor:///opt/web/tomcatA/logs/vpAppLogClient.log]
index = web
...

[monitor:///opt/web/tomcatA/logs/localhost_access_log.*.txt]
index = web
...

Re: whitelist regex help with multiple strings

harsmarvania57 — Wed, 20 Mar 2019 09:19:11 GMT

Hi,

Instead of creating multiple stanza, you can create single monitor input with regex. That regex will capture catalina.out , vpAppLogClient.log and localhost_access_log.YYYY-MM-DD.txt

inputs.conf

[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = (catalina\.out|vpAppLogClient\.log|localhost_access_log\.\d{4}\-\d{2}\-\d{2}\.txt)$

EDIT: Fixed typo

Re: whitelist regex help with multiple strings

joesrepsolc — Wed, 20 Mar 2019 14:01:44 GMT

I am aware of doing it this way, but it does make the length/size of the inputs.conf file much larger and a little harder to manage. But I do appreciate the response. I really wanted to understand the REGEX component so I can utilize the whitelist function.

Re: whitelist regex help with multiple strings

joesrepsolc — Wed, 20 Mar 2019 14:06:11 GMT

Trying this now, but hoping that it works! Reading thru the regex you posted... interesting stuff.

Question: Why do I need the "(" and ")" parenthesis around the statement? I missed that on one of my attempts. I also missed the "$" at the end, but was doing that on the end of each file name. Hmmm. Clearly I don't know regex well enough.

Re: whitelist regex help with multiple strings

harsmarvania57 — Wed, 20 Mar 2019 14:11:01 GMT

In regex () is capturing groups but in this monitor stanza there is no difference if we use capturing group or non-capturing group (?:). I have used () because I am using OR | and ending with $ for all 3 files in common. $ is end of line

Re: whitelist regex help with multiple strings

joesrepsolc — Wed, 20 Mar 2019 14:33:00 GMT

Thanks for the quick response. And THIS WORKED. Super cool. Thank you everyone.

Re: whitelist regex help with multiple strings

harsmarvania57 — Wed, 20 Mar 2019 14:36:27 GMT

Welcome 🙂