Getting Data In

whitelist directories inputs.conf


We've ~1000 directories in path and we want to monitor only a few selected directories. I tried to use the whitelist, voiding multiple monitoring stanzas. But it doesn't seem to work. I have verified this by running ./splunk list monitor on the forwarder. Here BX187898, BX676909 are directories in /enc_logs-ep3/bker and have log files in those directories.

Need assistance with the whitelist directories. I have tried with two directories, but I will have a few more added.

disabled = false
index = enc_logs
whitelist = (BX187898|BX676909)
host_regex = \S+(EP.*).\d{4}
sourcetype = enc
ignoreOlderThan = 3d


0 Karma


You can refer this link:

Can you cross check your regex?
Let me know if this helps!!

0 Karma

Revered Legend

Can you give some sample full path of files that you want to monitor and some that you don't?

0 Karma


Thanks @somesoni2

here's a sample path path -

/enc_logs-en3/bker/BX187898/EncServer. BX187898.ENC5VEABE100934.2018-08-06-14.log

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!