Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk inputs and whitelists --- how to?

DEAD_BEEF
Builder
‎02-11-2020 11:04 PM

I've combed through inputs.conf and the various questions on answers but can't seem to get a definitive example in how to employ a whitelist or modify my monitor stanza to match on specific folders and their sub-directories per my use case.

Example:

match on /mnt/data/apple/desired_folder/*/*
match on /mnt/data/apple/dir_1/*/*
match on /mnt/data/apple/folder_two/*/*

DONT match /mnt/data/apple/junk/*/*]
DONT match on too many others to list

Each directory in the whitelist, has one more sub-directory, then the log files themselves, of which I want everything in the folder. Do I have to write 3 monitor stanzas for this?

failed attempts - no logs get pulled in

[monitor:///mnt/data/apple/(dir_1|folder_two|index_this)/*/*]

and

[monitor:///mnt/data/apple/*/*/*]
whitelist = (dir_1|folder_two|index_this)

For now I've resorted to 3 monitor stanza's but I thought there is a cleaner way to do this in Splunk that I've completely forgotten/missed.

0 Karma
Reply

adonio
Ultra Champion
‎02-12-2020 05:59 AM

better of writing 3 stanzas
if the files in each directory tree are different, you will want 3 stanzas anyways so you can apply the correct sourcetype to each

0 Karma
Reply

DEAD_BEEF
Builder
‎02-12-2020 08:06 AM

Okay, but let's say I have 300 directories that I want (but there are over 5,000 I don't want)... must I still write them all out? I omitted sourcetype and everything else for brevity and assuming they are all the same sourcetype.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...