Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Underscores in inputs.conf...HELP!
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Underscores in inputs.conf...HELP!
Let's say I have the following in my inputs.conf file:
[monitor:///splunk/splink/fish/abc_qa/logs/]
whitelist = def*.log$|ghi*.log$|jkl*.log$|mno*.log$|pqr*.log$
sourcetype = applogs
index = risk
disabled = false
crcSalt=
And the directory contains the following files:
def_QA_BOAT.log
ghi_QA_TROUT.log
pqr_QA_worm_count.log
Why don't any of these match?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've attempted the above with just the slashes (without the asterisks) and it still doesn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've attempted the above with just the slashes (without the asterisks) and it still doesn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe its the page stripping the characters but you Are using
pqr*\.log$ with the asterisk (*) and the slash ()?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried this also with just a single expression in the following format: abc*.log$. No dice. What am I missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are only specifying the first few characters of the file name you must have the asterisk to wildcard the rest of the file name. You must also have the slash to escape the dot before the file extension. Have you tried using only one expression without the OR "|" ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've attempted the above with just the slashes (without the asterisks) and it still doesn't work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
using asterisk and slash plus '|' between each file name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
whitelist = def*\.log$|ghi*\.log$|jkl*\.log$|mno*\.log$|pqr*\.log$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It tells me nothing matches 'def*.log|ghi*.log|...'. Wouldn't it come back with '_' in the name?
CX Day is Coming!
Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!
Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console
