Splunk inputs and whitelists --- how to?

DEAD_BEEF · ‎02-11-2020

I've combed through inputs.conf and the various questions on answers but can't seem to get a definitive example in how to employ a whitelist or modify my monitor stanza to match on specific folders and their sub-directories per my use case.

Example:

match on /mnt/data/apple/desired_folder/*/*
match on /mnt/data/apple/dir_1/*/*
match on /mnt/data/apple/folder_two/*/*

DONT match /mnt/data/apple/junk/*/*]
DONT match on too many others to list

Each directory in the whitelist, has one more sub-directory, then the log files themselves, of which I want everything in the folder. Do I have to write 3 monitor stanzas for this?

failed attempts - no logs get pulled in

[monitor:///mnt/data/apple/(dir_1|folder_two|index_this)/*/*]

and

[monitor:///mnt/data/apple/*/*/*]
whitelist = (dir_1|folder_two|index_this)

For now I've resorted to 3 monitor stanza's but I thought there is a cleaner way to do this in Splunk that I've completely forgotten/missed.

adonio · ‎02-12-2020

better of writing 3 stanzas
if the files in each directory tree are different, you will want 3 stanzas anyways so you can apply the correct sourcetype to each

DEAD_BEEF · ‎02-12-2020

Okay, but let's say I have 300 directories that I want (but there are over 5,000 I don't want)... must I still write them all out? I omitted sourcetype and everything else for brevity and assuming they are all the same sourcetype.

Splunk inputs and whitelists --- how to?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?