Getting Data In

whitelist directories inputs.conf

Contributor

We've ~1000 directories in path and we want to monitor only a few selected directories. I tried to use the whitelist, voiding multiple monitoring stanzas. But it doesn't seem to work. I have verified this by running ./splunk list monitor on the forwarder. Here BX187898, BX676909 are directories in /enc_logs-ep3/bker and have log files in those directories.

Need assistance with the whitelist directories. I have tried with two directories, but I will have a few more added.

[monitor:///enclogs-ep3/bker]
disabled = false
index = enc
logs
whitelist = (BX187898|BX676909)
host_regex = \S+(EP.*).\d{4}
sourcetype = enc
ignoreOlderThan = 3d

Thanks

0 Karma

Motivator

You can refer this link:
https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Whitelistorblacklistspecificincomingdata

Can you cross check your regex?
Let me know if this helps!!

0 Karma

SplunkTrust
SplunkTrust

Can you give some sample full path of files that you want to monitor and some that you don't?

0 Karma

Contributor

Thanks @somesoni2

here's a sample path path -

/enc_logs-en3/bker/BX187898/EncServer. BX187898.ENC5VEABE100934.2018-08-06-14.log

0 Karma