https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314327#M94074 <P>Hi, Thanks, but these files could be multiple levels down from the main directory</P> Thu, 06 Apr 2017 16:52:48 GMT robertlynch2020 2017-04-06T16:52:48Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314323#M94070 <P>Hi </P> <P>I have the following file in multiple sub directories. I am trying to pick them up but the below is not working and i can't crack it.<BR /> The regex is good, but it just won't take them it... any help would be super... I am thinking something very small is wrong here.</P> <P>-rw-rw-r-- 1 autoengine murex 4772 Apr 6 17:24 mxtiming_730010_dell427srv_121.log<BR /> -rw-rw-r-- 1 autoengine murex 4772 Apr 6 17:26 mxtiming_730018_dell427srv_504.log<BR /> -rw-rw-r-- 1 autoengine murex 4772 Apr 6 17:27 mxtiming_730022_dell427srv_531.log</P> <PRE><CODE>[monitor:///net/dell427srv//data1/apps/QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART/.../*.log] disabled = false host = RSAT_Campaign index = mlc_live whitelist = mxtiming_\d+_\w+_\d+.*\.log$ sourcetype = MX_TIMING </CODE></PRE> Tue, 29 Sep 2020 13:33:57 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314323#M94070 robertlynch2020 2020-09-29T13:33:57Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314324#M94071 <P>Try this change:</P> <PRE><CODE> [monitor:///net/dell427srv//data1/apps/QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART/*/] </CODE></PRE> <P>This assumes only a single directory layer between <CODE>QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART</CODE> and your files. Leave everything else the same. Restart your forwarder's splunk instance.</P> Thu, 06 Apr 2017 16:29:18 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314324#M94071 woodcock 2017-04-06T16:29:18Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314325#M94072 <P>Hi,<BR /> Can you share sn example of not wanted files?<BR /> At a first sight you could insert part of filename in monitor<BR /> [monitor://net/dell427srv/data1/apps/QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART/.../mxtiming_*.log]<BR /> Beware that there is a double slash in tour path.<BR /> Every way you could change your regex in this way<BR /> mxtiming_[^<EM>]+</EM>[^<EM>]+</EM>[^.]+.log<BR /> Bye.<BR /> Giuseppe </P> Tue, 29 Sep 2020 13:34:03 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314325#M94072 gcusello 2020-09-29T13:34:03Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314326#M94073 <P>Hi</P> <P>I have files like below that i don't want to take in.<BR /> mxtiming_adaptposnbstoredpltables_20170306-093752167_44364646_6902.log<BR /> mxtiming_removecommodityfuturesindexplinstruments_20170306-093752167_222279393_6902.log</P> <P>Cheers for you help</P> Tue, 29 Sep 2020 13:34:06 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314326#M94073 robertlynch2020 2020-09-29T13:34:06Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314327#M94074 <P>Hi, Thanks, but these files could be multiple levels down from the main directory</P> Thu, 06 Apr 2017 16:52:48 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314327#M94074 robertlynch2020 2017-04-06T16:52:48Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314328#M94075 <P>Hi No Luck, i tried this but nothing come out</P> <PRE><CODE>[monitor://net/dell427srv/data1/apps/QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART/.../*.log] disabled = false host = RSAT_Campaign index = mlc_live whitelist = mxtiming_[^]+[^]+[^.]+.log$ sourcetype = MX_TIMING </CODE></PRE> Thu, 06 Apr 2017 17:18:18 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314328#M94075 robertlynch2020 2017-04-06T17:18:18Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314329#M94076 <P>Can you please give the full path to a few of these? Feel free to alter directory names as needed for confidentiality, but we need to see the way the full path looks in order to check some things.</P> Thu, 06 Apr 2017 19:48:12 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314329#M94076 DalJeanis 2017-04-06T19:48:12Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314330#M94077 <P>Hi robertlynch2020,<BR /> sorry but I answered using my smartphone that has limited function keyboards!<BR /> regex isn't correct, try:</P> <PRE><CODE>mxtiming_[^_]+_[^_]+_[^\.]+\.log$ </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 07 Apr 2017 07:58:49 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314330#M94077 gcusello 2017-04-07T07:58:49Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314331#M94078 <P>Thanks for your help on this , I think we are close.<BR /> To explain the issues more.</P> <P>Wanted Files<BR /> Any sub directory of the main </P> <PRE><CODE>[dell427srv/data1/apps/QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART] dell427srv/data1/apps/QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART/X/Y/A/mxtiming_730010_dell427srv_121.log Or dell427srv/data1/apps/QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART/A/X/mxtiming_730018_dell427srv_504.log Or. Etc.. mxtiming_730010_dell427srv_121.log mxtiming_730018_dell427srv_504.log mxtiming_730022_dell427srv_531.log </CODE></PRE> <P>Unwanted Files<BR /> The files I don’t want are below and again they can also come into any subdirectory</P> <PRE><CODE>mxtiming_commoditynearbyonindexhistoricaldata_20170306-093752167_1294331273_6902.log mxtiming_commoditynearbyonindextofutures_20170306-093752167_1718781102_6902.log mxtiming_datamartdatasetlabelstransfer_20170306-093752167_1714912538_6902.log mxtiming_fillcommoditytimeunits_20170306-093752167_1066971732_6902.log mxtiming_obsolete_typology_cleanup_in_stp_rights_20170306-093752167_1206801397_6902.log mxtiming_new_stp_rights_migration_20170306-093752167_252516786_6902.log mxtiming_adapt_warehouse_rebuild_20170306-093752167_1385637444_6902.log mxtiming_updatepricingbookingpretraderouters_20170306-093752167_904493553_6902.log mxtiming_collateralinterestopsobjectupgrade_20170306-093752167_1527129704_6902.log mxtiming_refreshaccountssidata_20170306-093752167_421251909_6902.log dell427srv/data1/apps/QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART/X/Y/A/mxtiming_adaptposnbstoredpltables_20170306-093752167_44364646_6902.log Or dell427srv/data1/apps/QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART/A/Z/A/mxtiming_removecommodityfuturesindexplinstruments_20170306-093752167_222279393_6902.log OR . </CODE></PRE> <P>…etc..</P> Fri, 07 Apr 2017 09:00:15 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314331#M94078 robertlynch2020 2017-04-07T09:00:15Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314332#M94079 <P>Hi robertlynch2020,,<BR /> try this one, it should be correct (see <A href="https://regex101.com/r/8Mzm3g/1">https://regex101.com/r/8Mzm3g/1</A>)</P> <PRE><CODE>mxtiming_(?&lt;ppp&gt;\d*_[^_]*_\d*)\.log </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 07 Apr 2017 09:15:46 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314332#M94079 gcusello 2017-04-07T09:15:46Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314333#M94080 <P>Thanks for your help on this , I think we are close.<BR /> To explain the issues more.</P> <P>Wanted Files<BR /> Any sub directory of the main</P> <PRE><CODE>[dell427srv/data1/apps/QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART] dell427srv/data1/apps/QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART/X/Y/A/mxtiming_730010_dell427srv_121.log Or dell427srv/data1/apps/QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART/A/X/mxtiming_730018_dell427srv_504.log Or. Etc.. mxtiming_730010_dell427srv_121.log mxtiming_730018_dell427srv_504.log mxtiming_730022_dell427srv_531.log </CODE></PRE> <P>Unwanted Files<BR /> The files I don’t want are below and again they can also come into any subdirectory</P> <PRE><CODE> mxtiming_commoditynearbyonindexhistoricaldata_20170306-093752167_1294331273_6902.log mxtiming_commoditynearbyonindextofutures_20170306-093752167_1718781102_6902.log mxtiming_datamartdatasetlabelstransfer_20170306-093752167_1714912538_6902.log mxtiming_fillcommoditytimeunits_20170306-093752167_1066971732_6902.log mxtiming_obsolete_typology_cleanup_in_stp_rights_20170306-093752167_1206801397_6902.log mxtiming_new_stp_rights_migration_20170306-093752167_252516786_6902.log mxtiming_adapt_warehouse_rebuild_20170306-093752167_1385637444_6902.log mxtiming_updatepricingbookingpretraderouters_20170306-093752167_904493553_6902.log mxtiming_collateralinterestopsobjectupgrade_20170306-093752167_1527129704_6902.log mxtiming_refreshaccountssidata_20170306-093752167_421251909_6902.log dell427srv/data1/apps/QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART/X/Y/A/mxtiming_adaptposnbstoredpltables_20170306-093752167_44364646_6902.log Or dell427srv/data1/apps/QCST_DBS_RSAT_v3.1.38_MASTER_DONOTRESTART/A/Z/A/mxtiming_removecommodityfuturesindexplinstruments_20170306-093752167_222279393_6902.log OR . </CODE></PRE> Fri, 07 Apr 2017 09:30:10 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314333#M94080 robertlynch2020 2017-04-07T09:30:10Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314334#M94081 <P>Hi </P> <P>So it looks like i get this to work, with the regex - thanks.<BR /> whitelist = mxtiming_(?\d*<EM>[^</EM>]<EM>_\d</EM>).log</P> Tue, 29 Sep 2020 13:34:55 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314334#M94081 robertlynch2020 2020-09-29T13:34:55Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314335#M94082 <P>Hi - This worked thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 07 Apr 2017 11:23:29 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314335#M94082 robertlynch2020 2017-04-07T11:23:29Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314336#M94083 <P>Hi - I tried this, but it only give me the subdirectories and not the main directory.</P> <P>So it looks like i need to lines in my inputs.conf to get the main directory and all its subdirectories</P> <PRE><CODE>[monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM5/*.log] disabled = false recursive = true host = MXTIMING_LIVE_TEST5 index = mlc_live whitelist = mxtiming_(?&lt;ppp&gt;\d*_[^_]*_\d*)\.log crcSalt = &lt;SOURCE&gt; sourcetype = MX_TIMING [monitor:///net/dell425srv/dell425srv/apps/SPLUNK_BACK_UP_LIVE/MXTIMING_MEDIUM5/.../*.log] disabled = false recursive = true host = MXTIMING_LIVE_TEST5 index = mlc_live whitelist = mxtiming_(?&lt;ppp&gt;\d*_[^_]*_\d*)\.log crcSalt = &lt;SOURCE&gt; sourcetype = MX_TIMING </CODE></PRE> Fri, 07 Apr 2017 11:27:12 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-regex-in-inputs-conf-not-working-for-monitoring-my/m-p/314336#M94083 robertlynch2020 2017-04-07T11:27:12Z