Getting Data In

Where is the invalid key in my inputs.conf?

Path Finder

Receiving:
Invalid key in stanza [monitor://D:\\radiantone\\vds\\vds_server\\logs] in , line 6: whitelist1 (value: vds_server.*\.log).
Invalid key in stanza [monitor://D:\\radiantone\\vds\\vds_server\\logs] in <c:\Program Files\SplunkUniversalForwarder\etc\apps\bsw_vds_inputs\local\inputs.conf>, line 7: whitelist2 (value: vds_server\.log).

Here is the inputs.conf:

[monitor://D:\\radiantone\\vds\\vds_server\\logs]
index=vds_logs
sourcetype=VDS_define_sourcetype
whitelist=vds_server_\d{4}-\d{2}-\d{2}.*\.log
whitelist1=vds_server.*\.log
whitelist2=vds_server\.log
0 Karma
1 Solution

Path Finder

It looks like you're trying to use the whitelists in inputs.conf as a means of specifying which files to monitor when it's meant to be used as a means of whitelisting specific events within a monitored file. I believe you would just need a separate monitoring stanza for each of your whitelisted values.

Let me know if this helped.

https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Inputsconf#MONITOR:

View solution in original post

Path Finder

It looks like you're trying to use the whitelists in inputs.conf as a means of specifying which files to monitor when it's meant to be used as a means of whitelisting specific events within a monitored file. I believe you would just need a separate monitoring stanza for each of your whitelisted values.

Let me know if this helped.

https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Inputsconf#MONITOR:

View solution in original post

Path Finder

You are correct... I added an additional stanza and now I am seeing logs. Thanks!

0 Karma

Path Finder

You're very welcome!

0 Karma

Path Finder

I don't see mistake yet but here are the docs I'm referencing. Hope this helps.

https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Inputsconf#Event_Log_whitelist_and_blacklis...

0 Karma