I have a whitelist to limit how far back splunk looks to import our syslogs from our ASA. The regex that I am using is ^(ASA_Syslog_)(|2009|20[1-9][0-9])-(0[1-9]|1[012])-([123]0|[012][1-9]|31).(txt|zip)$
When I look a the admin/inpustatus, it states that every file does not match the whitelist. But when I run the regex test on a few regex test web sites, they all say it matches.
s:key name="e:\syslog\ASA\ASA_Syslog_2011-03-09.txt"
s:dict
s:key name="parent">e:\syslog\ASA
s:key name="type">Did not match whitelist '^(ASA_Syslog_)(|2009|20[1-9][0-9])-(0[1-9]|1[012])-([123]0|[012][1-9]|31).(txt|zip)$'. /s:key
/s:dict
(<> removed so this will show in question)
Am i missing something? Do I need to include the file path in the regex for the white list?
My inputs.conf looks like this
[monitor://e:\syslog\ASA]
disabled = false
followTail = 0
host = ASA
index = cisco_asa
sourcetype = cisco_syslog
whitelist = ^(ASA_Syslog_)(|2009|20[1-9][0-9])-(0[1-9]|1[012])-([123]0|[012][1-9]|31).(txt|zip)$
I believe the issue is the "^" in your regex is causing the issue expecting the absolute path to start at ASA_Syslog. Try taking that out.
Looking at the monitor stanza versus regex, I would also do this:
[monitor://e:\syslog\ASA\ASA_Syslog_*]
...
whitelist = (|2009|20[1-9][0-9])-(0[1-9]|1[012])-([123]0|[012][1-9]|31).