Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Underscores in inputs.conf...HELP!
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Underscores in inputs.conf...HELP!
Let's say I have the following in my inputs.conf file:
[monitor:///splunk/splink/fish/abc_qa/logs/]
whitelist = def*.log$|ghi*.log$|jkl*.log$|mno*.log$|pqr*.log$
sourcetype = applogs
index = risk
disabled = false
crcSalt=
And the directory contains the following files:
def_QA_BOAT.log
ghi_QA_TROUT.log
pqr_QA_worm_count.log
Why don't any of these match?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've attempted the above with just the slashes (without the asterisks) and it still doesn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've attempted the above with just the slashes (without the asterisks) and it still doesn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe its the page stripping the characters but you Are using
pqr*\.log$ with the asterisk (*) and the slash ()?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried this also with just a single expression in the following format: abc*.log$. No dice. What am I missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are only specifying the first few characters of the file name you must have the asterisk to wildcard the rest of the file name. You must also have the slash to escape the dot before the file extension. Have you tried using only one expression without the OR "|" ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've attempted the above with just the slashes (without the asterisks) and it still doesn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
using asterisk and slash plus '|' between each file name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
whitelist = def*\.log$|ghi*\.log$|jkl*\.log$|mno*\.log$|pqr*\.log$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It tells me nothing matches 'def*.log|ghi*.log|...'. Wouldn't it come back with '_' in the name?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
