Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- whitelist queries
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whitelist queries
athorat3
New Member
07-03-2017
12:18 AM
HI
I have a question
The existing whitelist in inputs.conf includes
whitelist = (tomcat|vizql|hs_err|tdeserver64)-[^/\\]*\.log$|(tdeserver|tabprotosrv|nativeapi)_vizqlserver.txt
now there are new files added in the directory
-a--- 6/30/2017 11:58 AM 0 tabprotosrv_backgrounder_0-0.txt
-a--- 6/30/2017 12:03 PM 146491 tabprotosrv_backgrounder_0-0_1.txt
-a--- 6/30/2017 12:04 PM 0 tabprotosrv_backgrounder_0-0_10.txt
-a--- 6/30/2017 12:04 PM 0 tabprotosrv_backgrounder_0-0_11.txt
-a--- 6/30/2017 12:04 PM 0 tabprotosrv_backgrounder_0-0_12.txt
-a--- 6/30/2017 12:06 PM 123767 tabprotosrv_backgrounder_0-0_13.txt
how do I modify the existing whitelist to include these files
IS THE BELOW STANZA CORRECT?
whitelist = (tomcat|vizql|hs_err|tdeserver64)-[^/\\]*\.log$|(tdeserver|tabprotosrv|nativeapi)_vizqlserver.txt$|(tabprotosrv_backgrounder)[\_\d\-]*.txt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
07-06-2017
10:48 AM
seems correct, but to be consistent you want a $ anchor after the final .txt, and you want to escape the period when you mean it to be a period (only).
whitelist = (tomcat|vizql|hs_err|tdeserver64)-[^/\\]*\.log$|(tdeserver|tabprotosrv|nativeapi)_vizqlserver\.txt$|(tabprotosrv_backgrounder)[\_\d\-]*\.txt$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
horsefez
Motivator
07-03-2017
04:39 AM
Hey,
how about this regular expression.
(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$
Take a look at it here:
https://regex101.com/r/55M6LH/1
Tell me what you think about it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
athorat3
New Member
07-06-2017
09:37 AM
Thanks @horsefez
in the tail processing it says
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_1_bk.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:.log|.txt)$'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
athorat3
New Member
07-06-2017
09:40 AM
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_1.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_10_bk.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_10.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_11_bk.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_11.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_12_bk.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_12.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_13_bk.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_13.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_14_bk.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_14.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_15.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_16_bk.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_16.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_17.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_18_bk.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_18.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_19.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\tabprotosrv_backgrounder_0-0_2_bk.txt
parent C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\vizqlserver\
type File did not match whitelist '(?:^)(?:tomcat|vizql|hs_err|tdeserver|tabprotosrv|nativeapi)(?:.*)(?:\.log|\.txt)$'.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
