Getting Data In

Proper way to use whitelist in inputs.conf

hajducko
Explorer

Can't seem to get this to work using whitelists in inputs.conf

I have a location I need to monitor for several log files across several directories, all of the same type:

This works:

[monitor:///var/disys/phoenix1a/jboss/cbs2-V*/default/logs/*.log]
disabled = false
sourcetype = cbs2

However, this doesn't:

[monitor:///var/disys/phoenix1a/jboss/cbs2-V*/default/logs]
whitelist = \.log$
disabled = false
sourcetype = cbs2

Am I doing something wrong here? The white list seems rather simple and it seems like it should work just fine - however, none of the logs are getting sent.

Tags (1)
0 Karma
1 Solution

jrodman
Splunk Employee
Splunk Employee

This is longstanding behavior, though sort of a stumbling block.

http://www.splunk.com/base/Documentation/latest/Admin/Specifyinputpathswithwildcards#Wildcards_and_w...

"When you specify wildcards in a file input path, Splunk creates an implicit whitelist for that stanza. The longest fully qualified path becomes the monitor stanza, and the wildcards are translated into regular expressions, as listed in the table above."

This means your choice of whitelist is being clobberd by your use of * expressions in the stanza. Is there some advantage to using the seperate whitelist entry?

View solution in original post

jrodman
Splunk Employee
Splunk Employee

This is longstanding behavior, though sort of a stumbling block.

http://www.splunk.com/base/Documentation/latest/Admin/Specifyinputpathswithwildcards#Wildcards_and_w...

"When you specify wildcards in a file input path, Splunk creates an implicit whitelist for that stanza. The longest fully qualified path becomes the monitor stanza, and the wildcards are translated into regular expressions, as listed in the table above."

This means your choice of whitelist is being clobberd by your use of * expressions in the stanza. Is there some advantage to using the seperate whitelist entry?

woodcock
Esteemed Legend

I have been told on good authority that this is no longer the case, and has not been so for many years/releases.

hajducko
Explorer

It was more of a 'Hey, I tried this and it didn't work and now I'm curious as to why'.

Stupid me, however, read that whole doc before posting and didn't even put two and two together.

Thanks much!

0 Karma

vsingla1
Communicator

Thanks a lot jrodman. The link you provided proved to be very useful.

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...