Splunk IT Service Intelligence

Can you help with RegEx for whitelist/blacklist?

New Member

I need help with the regex syntax to whitelist, whitelist*.log, blacklist*.log and blacklist.prev.log files when monitoring a directory.


0 Karma

Splunk Employee
Splunk Employee


Thanks for posting. Could you give us some more context for your query? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.

0 Karma


Hi @khickey,

Do you mean to say you want Splunk Universal Forwarder configuration to monitor certain files.

If that is the case, then you can do below configuration in inputs.conf on UF

whitelist = (?:whitelist|blacklist).*\.log
index = yourindex

Here is regex with sample data https://regex101.com/r/MkDFOC/1

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!