Re: Why is a specific file type still being indexe...

mlaufenb · ‎09-02-2015

Here's my stanza:

[monitor:///opt/stash/logs/]
blacklist = \.gz$
disabled = false
followTail = 0
index = stash_pp
sourcetype = log4j
whitelist = (*access\.log$|*stash\.log$|*mail\.log$|*profiler\.log$|*debug\.log$|*plugin\.log$|*codesearch\.log$|\.out$)

I'm getting this file type atlassian-stash-access-2015-08-31.0.log which should have been excluded with the whitelist specification. Is there something wrong with the syntax?

Any help would be appreciated!

lguinn2 · ‎09-02-2015

The proper regular expression for the whitelist is

whitelist = (.*access\.log$|.*stash\.log$|.*mail\.log$|.*profiler\.log$|.*debug\.log$|.*plugin\.log$|.*codesearch\.log$|\.out$)

The * alone just means "match an asterisk" in regular expressions. While Splunk does sometime allow a mix of globbing and regular expressions, don't do it here...

Why is a specific file type still being indexed with my inputs.conf whitelist configuration?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation