Getting Data In

Splunk inputs and whitelists --- how to?

DEAD_BEEF
Builder

I've combed through inputs.conf and the various questions on answers but can't seem to get a definitive example in how to employ a whitelist or modify my monitor stanza to match on specific folders and their sub-directories per my use case.

Example:

match on /mnt/data/apple/desired_folder/*/*
match on /mnt/data/apple/dir_1/*/*
match on /mnt/data/apple/folder_two/*/*

DONT match /mnt/data/apple/junk/*/*]
DONT match on too many others to list

Each directory in the whitelist, has one more sub-directory, then the log files themselves, of which I want everything in the folder. Do I have to write 3 monitor stanzas for this?

failed attempts - no logs get pulled in

[monitor:///mnt/data/apple/(dir_1|folder_two|index_this)/*/*]

and

[monitor:///mnt/data/apple/*/*/*]
whitelist = (dir_1|folder_two|index_this)

For now I've resorted to 3 monitor stanza's but I thought there is a cleaner way to do this in Splunk that I've completely forgotten/missed.

0 Karma

adonio
Ultra Champion

better of writing 3 stanzas
if the files in each directory tree are different, you will want 3 stanzas anyways so you can apply the correct sourcetype to each

0 Karma

DEAD_BEEF
Builder

Okay, but let's say I have 300 directories that I want (but there are over 5,000 I don't want)... must I still write them all out? I omitted sourcetype and everything else for brevity and assuming they are all the same sourcetype.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...