Getting Data In

Splunk inputs and whitelists --- how to?

DEAD_BEEF
Builder

I've combed through inputs.conf and the various questions on answers but can't seem to get a definitive example in how to employ a whitelist or modify my monitor stanza to match on specific folders and their sub-directories per my use case.

Example:

match on /mnt/data/apple/desired_folder/*/*
match on /mnt/data/apple/dir_1/*/*
match on /mnt/data/apple/folder_two/*/*

DONT match /mnt/data/apple/junk/*/*]
DONT match on too many others to list

Each directory in the whitelist, has one more sub-directory, then the log files themselves, of which I want everything in the folder. Do I have to write 3 monitor stanzas for this?

failed attempts - no logs get pulled in

[monitor:///mnt/data/apple/(dir_1|folder_two|index_this)/*/*]

and

[monitor:///mnt/data/apple/*/*/*]
whitelist = (dir_1|folder_two|index_this)

For now I've resorted to 3 monitor stanza's but I thought there is a cleaner way to do this in Splunk that I've completely forgotten/missed.

0 Karma

adonio
Ultra Champion

better of writing 3 stanzas
if the files in each directory tree are different, you will want 3 stanzas anyways so you can apply the correct sourcetype to each

0 Karma

DEAD_BEEF
Builder

Okay, but let's say I have 300 directories that I want (but there are over 5,000 I don't want)... must I still write them all out? I omitted sourcetype and everything else for brevity and assuming they are all the same sourcetype.

0 Karma
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...