Getting Data In

Splunk inputs and whitelists --- how to?


I've combed through inputs.conf and the various questions on answers but can't seem to get a definitive example in how to employ a whitelist or modify my monitor stanza to match on specific folders and their sub-directories per my use case.


match on /mnt/data/apple/desired_folder/*/*
match on /mnt/data/apple/dir_1/*/*
match on /mnt/data/apple/folder_two/*/*

DONT match /mnt/data/apple/junk/*/*]
DONT match on too many others to list

Each directory in the whitelist, has one more sub-directory, then the log files themselves, of which I want everything in the folder. Do I have to write 3 monitor stanzas for this?

failed attempts - no logs get pulled in



whitelist = (dir_1|folder_two|index_this)

For now I've resorted to 3 monitor stanza's but I thought there is a cleaner way to do this in Splunk that I've completely forgotten/missed.

0 Karma

Ultra Champion

better of writing 3 stanzas
if the files in each directory tree are different, you will want 3 stanzas anyways so you can apply the correct sourcetype to each

0 Karma


Okay, but let's say I have 300 directories that I want (but there are over 5,000 I don't want)... must I still write them all out? I omitted sourcetype and everything else for brevity and assuming they are all the same sourcetype.

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...