topic Is it possible to use regex in an inputs.conf monitor stanza? in Splunk Search

Is it possible to use regex in an inputs.conf monitor stanza?

edrivera3 — Fri, 30 Oct 2015 22:32:17 GMT

Is it possible to do something like this:

[MONITOR:///some directory/WE\d{8}.log]

for indexing the following filenames:
WE93820493.log
WE37245293.log

I don't want to index the following filename: WE93820493corrupt.log and WE37245293test.log which are indexed with this inputs.conf:

[MONITOR:///some directory/WE*.log]

If it is not possible, is there a way to setup my stanza so I get a similar behavior?
Thanks,

Re: Is it possible to use regex in an inputs.conf monitor stanza?

mtranchita — Fri, 30 Oct 2015 23:58:13 GMT

I think you can do what you want a number of ways but I would probably try using whitelist or blacklist in the monitor stanza.
I've listed the details on those from the reference the inputs.conf spec.

whitelist =
* If set, files from this input are monitored only if their path matches the specified regex.

blacklist =
* If set, files from this input are NOT monitored if their path matches the specified regex.

Re: Is it possible to use regex in an inputs.conf monitor stanza?

woodcock — Sat, 31 Oct 2015 02:56:17 GMT

The @mtranchita answer is the correct one but if you need to do something beyond RegEx, you can use this approach (but use additional logic):

https://answers.splunk.com/answers/309910/how-to-monitor-a-folder-for-newest-files-only-file.html

Re: Is it possible to use regex in an inputs.conf monitor stanza?

edrivera3 — Mon, 02 Nov 2015 17:40:54 GMT

I already know to use whitelist and blacklist, the problem is that those files are touched by different users and they don't use a standard way to name them. The only thing that I am sure is that they reserved this formal format: WEXXXXXXXX.log for official use. Thanks anyway for your response.