Splunk IT Service Intelligence

Can you help with RegEx for whitelist/blacklist?

New Member

I need help with the regex syntax to whitelist, whitelist*.log, blacklist*.log and blacklist.prev.log files when monitoring a directory.


0 Karma

Splunk Employee
Splunk Employee


Thanks for posting. Could you give us some more context for your query? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.

0 Karma


Hi @khickey,

Do you mean to say you want Splunk Universal Forwarder configuration to monitor certain files.

If that is the case, then you can do below configuration in inputs.conf on UF

whitelist = (?:whitelist|blacklist).*\.log
index = yourindex

Here is regex with sample data https://regex101.com/r/MkDFOC/1

0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...