Can't seem to get this to work using whitelists in inputs.conf
I have a location I need to monitor for several log files across several directories, all of the same type:
[monitor:///var/disys/phoenix1a/jboss/cbs2-V*/default/logs/*.log] disabled = false sourcetype = cbs2
However, this doesn't:
[monitor:///var/disys/phoenix1a/jboss/cbs2-V*/default/logs] whitelist = \.log$ disabled = false sourcetype = cbs2
Am I doing something wrong here? The white list seems rather simple and it seems like it should work just fine - however, none of the logs are getting sent.
This is longstanding behavior, though sort of a stumbling block.
"When you specify wildcards in a file input path, Splunk creates an implicit whitelist for that stanza. The longest fully qualified path becomes the monitor stanza, and the wildcards are translated into regular expressions, as listed in the table above."
This means your choice of whitelist is being clobberd by your use of * expressions in the stanza. Is there some advantage to using the seperate whitelist entry?
It was more of a 'Hey, I tried this and it didn't work and now I'm curious as to why'.
Stupid me, however, read that whole doc before posting and didn't even put two and two together.
I have been told on good authority that this is no longer the case, and has not been so for many years/releases.