Getting Data In

fschange stanza: allows wildcards?

Motivator

In inputs.conf, is a fschange stanza itself allowed to have wildcards (like monitors can, or props.conf stanzas can)?

If so, which style is accepted, regular expressions (.* style) or weird Splunk stanza expressions (... style)?

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

Yes.
from inputs.conf.spec we have:

#*******
# File system monitoring filters:
#*******

[filter:<filtertype>:<filtername>]
* Define a filter of type <filtertype> and name it <filtername>.

<filtertype>
* Filter types are either 'blacklist' or 'whitelist.' 
* A whitelist filter processes all file names that match the regex list.
* A blacklist filter skips all file names that match the regex list.

<filtername>
* The filter name is used in the comma-separated list when defining a file system monitor.

regex<integer> = <regex>    
* Blacklist and whitelist filters can include a set of regexes.
* The name of each regex MUST be 'regex<integer>', where <integer> starts at 1 and increments. 
* Splunk applies each regex in numeric order:
  regex1=<regex>
  regex2=<regex>
  ...

One thing to note however is that whitelist and blacklist for fschange are slightly different from the same in the [monitor] stanzas, in fschange, they work like firewall-whitelists/blacklists. (ie, a whitelist does not create an implicit blacklist and vice-versa)

Also note, you cannot use [monitor] and [fschange] for the same directory/file

Lastly, regular expressions are the allowed ones. (.* rex)

For more info: here

0 Karma

Splunk Employee
Splunk Employee

i believe so. Best thing to do is actually by trying it...

0 Karma

Motivator

So in other words, the stanza itself: [fschange:/path/.../to/path/] is a No?

0 Karma