In inputs.conf for monitor stanza, can we write regex?
/opt/splunk/cgate* matches (/opt/splunk/cgateee) or (/opt/splunk/cgateabd)
Can we use wildcards(*) for whitelist attribute?
The * wildcard is available. Explained nicely at Note concerning wildcards and monitor:
It says -
I usually check myself by running the monitor part in ls -
ls /opt/splunk/cgate*. If it returns the desired /opt/splunk/cgateee and/or /opt/splunk/cgateabd I know I'm fine.
Sure, you can add regex to whitelist/blacklist in inputs.conf.
You can found the doc here: (http://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata).
If you add whitelist = \.log$, Splunk will monitor only *.log files
whitelist = \.log$