Getting Data In
Highlighted

Proper way to use whitelist in inputs.conf

Explorer

Can't seem to get this to work using whitelists in inputs.conf

I have a location I need to monitor for several log files across several directories, all of the same type:

This works:

[monitor:///var/disys/phoenix1a/jboss/cbs2-V*/default/logs/*.log]
disabled = false
sourcetype = cbs2

However, this doesn't:

[monitor:///var/disys/phoenix1a/jboss/cbs2-V*/default/logs]
whitelist = \.log$
disabled = false
sourcetype = cbs2

Am I doing something wrong here? The white list seems rather simple and it seems like it should work just fine - however, none of the logs are getting sent.

Tags (1)
0 Karma
Highlighted

Re: Proper way to use whitelist in inputs.conf

Splunk Employee
Splunk Employee

This is longstanding behavior, though sort of a stumbling block.

http://www.splunk.com/base/Documentation/latest/Admin/Specifyinputpathswithwildcards#Wildcards_and_w...

"When you specify wildcards in a file input path, Splunk creates an implicit whitelist for that stanza. The longest fully qualified path becomes the monitor stanza, and the wildcards are translated into regular expressions, as listed in the table above."

This means your choice of whitelist is being clobberd by your use of * expressions in the stanza. Is there some advantage to using the seperate whitelist entry?

View solution in original post

Highlighted

Re: Proper way to use whitelist in inputs.conf

Explorer

It was more of a 'Hey, I tried this and it didn't work and now I'm curious as to why'.

Stupid me, however, read that whole doc before posting and didn't even put two and two together.

Thanks much!

0 Karma
Highlighted

Re: Proper way to use whitelist in inputs.conf

Communicator

Thanks a lot jrodman. The link you provided proved to be very useful.

0 Karma
Highlighted

Re: Proper way to use whitelist in inputs.conf

Esteemed Legend

I have been told on good authority that this is no longer the case, and has not been so for many years/releases.

0 Karma
Highlighted

Re: Proper way to use whitelist in inputs.conf

Splunk Employee
Splunk Employee
0 Karma