Splunk IT Service Intelligence
Highlighted

Can you help with RegEx for whitelist/blacklist?

New Member

I need help with the regex syntax to whitelist, whitelist.log, blacklist.log and blacklist.prev.log files when monitoring a directory.

Thanks

0 Karma
Highlighted

Re: Can you help with RegEx for whitelist/blacklist?

SplunkTrust
SplunkTrust

Hi @khickey,

Do you mean to say you want Splunk Universal Forwarder configuration to monitor certain files.

If that is the case, then you can do below configuration in inputs.conf on UF

[monitor://<yourdirectory>]
whitelist = (?:whitelist|blacklist).*\.log
index = yourindex

Here is regex with sample data https://regex101.com/r/MkDFOC/1

0 Karma
Highlighted

Re: Can you help with RegEx for whitelist/blacklist?

Splunk Employee
Splunk Employee

@khickey

Thanks for posting. Could you give us some more context for your query? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.

0 Karma