Getting Data In

Multiple Whitelists

robertlynch2020
Influencer

Hi

I have the following two inputs in inputs.conf. They both work separably but not together.

**Working**
[monitor:///net/dell428srv/data2/apps/mx_ox62148_191418/logs_latest_17052017-064938.../*.log]
disabled = false
host = MXTIMING_TEST1_DELL428SRV
index = mlc_live
whitelist =  mxtiming_(?<FULL_STRING>\d*_[^_]*_\d*)\.log
crcSalt = <SOURCE>
sourcetype = MX_TIMING

**Working**
[monitor:///net/dell428srv/data2/apps/mx_ox62148_191418/logs_latest_17052017-064938.../*.log]
disabled = false
host = MXTIMING_TEST1_DELL428SRV
index = mlc_live
whitelist =  mxtiming_(?<FULL_STRING>[^_]*_[^_]*_\d*_[^_]*_\d*)\.log
crcSalt = <SOURCE>
sourcetype = MX_TIMING

When i try to add them together with a | nothing works, i have a few to add so i don't want to have to keep copying this code

    **NOT_WORKING**
    [monitor:///net/dell428srv/data2/apps/mx_ox62148_191418/logs_latest_17052017-064938.../*.log]
    disabled = false
    host = MXTIMING_TEST1_DELL428SRV
    index = mlc_live
    whitelist =  mxtiming_(?<FULL_STRING>\d*_[^_]*_\d*)\.log|mxtiming_(?<FULL_STRING>[^_]*_[^_]*_\d*_[^_]*_\d*)\.log
crcSalt = <SOURCE>
sourcetype = MX_TIMING

Any ideas would be great 🙂

0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

Two things. First, your regex is invalid, you define FULL_STRING twice, which is not allowed in a regex. Since you aren't using a named capture group later, just get rid of it.

Second, parenthesis will be your friend. Try:

whitelist =  (mxtiming_(\d*_[^_]*_\d*)\.log)|(mxtiming_([^_]*_[^_]*_\d*_[^_]*_\d*)\.log))

But, you can't make it better:

whitelist = mxtiming_((\d*_[^_]*_\d)|([^_]*_[^_]*_\d*_[^_]*_\d*))\.log

I'm not sure why you don't just use:

whitelist = mxtiming_.*\.log

Which should work just as well, if you don't have a third name that uses mxtiming_*.log.

View solution in original post

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Two things. First, your regex is invalid, you define FULL_STRING twice, which is not allowed in a regex. Since you aren't using a named capture group later, just get rid of it.

Second, parenthesis will be your friend. Try:

whitelist =  (mxtiming_(\d*_[^_]*_\d*)\.log)|(mxtiming_([^_]*_[^_]*_\d*_[^_]*_\d*)\.log))

But, you can't make it better:

whitelist = mxtiming_((\d*_[^_]*_\d)|([^_]*_[^_]*_\d*_[^_]*_\d*))\.log

I'm not sure why you don't just use:

whitelist = mxtiming_.*\.log

Which should work just as well, if you don't have a third name that uses mxtiming_*.log.

0 Karma

robertlynch2020
Influencer

Thanks very much. In fact i went for the last option.

Cheers

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

It is the easiest and will match other file names if they happen to change any in the future. I find it best to do that simplest version whenever possible. 🙂

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...

Build and Launch AI Agents from Your Splunk Workflows

  Register We’ve all been there: juggling alerts, runbooks, and endless manual searches. What if you could ...

Splunk Cloud Application Management in Terraform

Register   On Tuesday, August 4 at 11AM PDT / 2PM EDT, we’re diving into how you can bring Infrastructure as ...