Getting Data In

whitelist queries

athorat3
New Member

HI

I have a question
The existing whitelist in inputs.conf includes

whitelist = (tomcat|vizql|hs_err|tdeserver64)-[^/\\]*\.log$|(tdeserver|tabprotosrv|nativeapi)_vizqlserver.txt

 now there are new files added in the directory

    -a---         6/30/2017  11:58 AM          0 tabprotosrv_backgrounder_0-0.txt
    -a---         6/30/2017  12:03 PM     146491 tabprotosrv_backgrounder_0-0_1.txt
    -a---         6/30/2017  12:04 PM          0 tabprotosrv_backgrounder_0-0_10.txt
    -a---         6/30/2017  12:04 PM          0 tabprotosrv_backgrounder_0-0_11.txt
    -a---         6/30/2017  12:04 PM          0 tabprotosrv_backgrounder_0-0_12.txt
    -a---         6/30/2017  12:06 PM     123767 tabprotosrv_backgrounder_0-0_13.txt


how do I modify the existing whitelist to include these files
IS THE BELOW STANZA CORRECT?
whitelist = (tomcat|vizql|hs_err|tdeserver64)-[^/\\]*\.log$|(tdeserver|tabprotosrv|nativeapi)_vizqlserver.txt$|(tabprotosrv_backgrounder)[\_\d\-]*.txt
Tags (1)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

seems correct, but to be consistent you want a $ anchor after the final .txt, and you want to escape the period when you mean it to be a period (only).

whitelist = (tomcat|vizql|hs_err|tdeserver64)-[^/\\]*\.log$|(tdeserver|tabprotosrv|nativeapi)_vizqlserver\.txt$|(tabprotosrv_backgrounder)[\_\d\-]*\.txt$
0 Karma

horsefez
SplunkTrust
SplunkTrust

Hey,

how about this regular expression.

(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$

Take a look at it here:
https://regex101.com/r/55M6LH/1

Tell me what you think about it.

0 Karma

athorat3
New Member

Thanks @horsefez

in the tail processing it says

C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_1_bk.txt

parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:.log|.txt)$'.

0 Karma

athorat3
New Member
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_1.txt   
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_10_bk.txt   
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_10.txt  
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_11_bk.txt   
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_11.txt  
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_12_bk.txt   
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_12.txt  
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_13_bk.txt   
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_13.txt  
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_14_bk.txt   
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_14.txt  
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_15.txt  
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_16_bk.txt   
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_16.txt  
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_17.txt  
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_18_bk.txt   
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_18.txt  
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_19.txt  
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_2_bk.txt    
parent  C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type    File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...