Getting Data In

Is it possible to use regular expressions and wildcard in the monitoring stanza of inputs.conf?

Contributor

In inputs.conf for monitor stanza, can we write regex?

If so,
/opt/splunk/cgate* matches (/opt/splunk/cgateee) or (/opt/splunk/cgateabd)

Can we use wildcards(*) for whitelist attribute?

0 Karma

Ultra Champion

The * wildcard is available. Explained nicely at Note concerning wildcards and monitor:

It says -

alt text

I usually check myself by running the monitor part in ls -

ls /opt/splunk/cgate*. If it returns the desired /opt/splunk/cgateee and/or /opt/splunk/cgateabd I know I'm fine.

0 Karma

Path Finder

Sure, you can add regex to whitelist/blacklist in inputs.conf.

You can found the doc here: (http://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata).

If you add whitelist = \.log$, Splunk will monitor only *.log files

0 Karma