Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Proper way to use whitelist in inputs.conf

hajducko
Explorer
‎12-22-2010 12:51 AM

Can't seem to get this to work using whitelists in inputs.conf

I have a location I need to monitor for several log files across several directories, all of the same type:

This works:

[monitor:///var/disys/phoenix1a/jboss/cbs2-V*/default/logs/*.log]
disabled = false
sourcetype = cbs2

However, this doesn't:

[monitor:///var/disys/phoenix1a/jboss/cbs2-V*/default/logs]
whitelist = \.log$
disabled = false
sourcetype = cbs2

Am I doing something wrong here? The white list seems rather simple and it seems like it should work just fine - however, none of the logs are getting sent.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎12-22-2010 12:55 AM

This is longstanding behavior, though sort of a stumbling block.

http://www.splunk.com/base/Documentation/latest/Admin/Specifyinputpathswithwildcards#Wildcards_and_w...

"When you specify wildcards in a file input path, Splunk creates an implicit whitelist for that stanza. The longest fully qualified path becomes the monitor stanza, and the wildcards are translated into regular expressions, as listed in the table above."

This means your choice of whitelist is being clobberd by your use of * expressions in the stanza. Is there some advantage to using the seperate whitelist entry?

View solution in original post

Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎12-22-2010 12:55 AM

This is longstanding behavior, though sort of a stumbling block.

http://www.splunk.com/base/Documentation/latest/Admin/Specifyinputpathswithwildcards#Wildcards_and_w...

"When you specify wildcards in a file input path, Splunk creates an implicit whitelist for that stanza. The longest fully qualified path becomes the monitor stanza, and the wildcards are translated into regular expressions, as listed in the table above."

This means your choice of whitelist is being clobberd by your use of * expressions in the stanza. Is there some advantage to using the seperate whitelist entry?

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-26-2018 04:09 PM

I have been told on good authority that this is no longer the case, and has not been so for many years/releases.

Reply
Solved! Jump to solution

hajducko
Explorer
‎12-22-2010 04:33 PM

It was more of a 'Hey, I tried this and it didn't work and now I'm curious as to why'.

Stupid me, however, read that whole doc before posting and didn't even put two and two together.

Thanks much!

0 Karma
Reply
Solved! Jump to solution

vsingla1
Communicator
‎02-25-2015 07:53 AM

Thanks a lot jrodman. The link you provided proved to be very useful.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...