In inputs.conf, is a fschange stanza itself allowed to have wildcards (like monitors can, or props.conf stanzas can)?
If so, which style is accepted, regular expressions (.* style) or weird Splunk stanza expressions (... style)?
from inputs.conf.spec we have:
#******* # File system monitoring filters: #******* [filter:<filtertype>:<filtername>] * Define a filter of type <filtertype> and name it <filtername>. <filtertype> * Filter types are either 'blacklist' or 'whitelist.' * A whitelist filter processes all file names that match the regex list. * A blacklist filter skips all file names that match the regex list. <filtername> * The filter name is used in the comma-separated list when defining a file system monitor. regex<integer> = <regex> * Blacklist and whitelist filters can include a set of regexes. * The name of each regex MUST be 'regex<integer>', where <integer> starts at 1 and increments. * Splunk applies each regex in numeric order: regex1=<regex> regex2=<regex> ...
One thing to note however is that whitelist and blacklist for fschange are slightly different from the same in the [monitor] stanzas, in fschange, they work like firewall-whitelists/blacklists. (ie, a whitelist does not create an implicit blacklist and vice-versa)
Also note, you cannot use [monitor] and [fschange] for the same directory/file
Lastly, regular expressions are the allowed ones. (.* rex)
For more info: here