I have a whitelist to limit how far back splunk looks to import our syslogs from our ASA. The regex that I am using is ^(ASA_Syslog_)(|2009|20[1-9][0-9])-(0[1-9]|1[012])-([123]0|[012][1-9]|31).(txt|zip)$

When I look a the admin/inpustatus, it states that every file does not match the whitelist. But when I run the regex test on a few regex test web sites, they all say it matches.

s:key name="e:\syslog\ASA\ASA_Syslog_2011-03-09.txt"
s:dict
s:key name="parent">e:\syslog\ASA s:key name="type">Did not match whitelist '^(ASA_Syslog_)(|2009|20[1-9][0-9])-(0[1-9]|1[012])-([123]0|[012][1-9]|31).(txt|zip)$'. /s:key
/s:dict

(<> removed so this will show in question)

Am i missing something? Do I need to include the file path in the regex for the white list?

My inputs.conf looks like this

[monitor://e:\syslog\ASA]
disabled = false
followTail = 0
host = ASA
index = cisco_asa
sourcetype = cisco_syslog
whitelist = ^(ASA_Syslog_)(|2009|20[1-9][0-9])-(0[1-9]|1[012])-([123]0|[012][1-9]|31).(txt|zip)$