I have some complicated Extended Regexes that give the right files when used with a find /|grep -E "regex"
but do not work in inputs.conf.
Here's an example:
[monitor:///files]
whitelist = \/(qqq|abc)\/\w+\/wls[0-9]+\/user_projects\/domains\/\w+\/servers\/\w+\/logs\/\w+\.out
Which would match any of these files when used with a find /|grep
/files/qqq/foo/wls1234/user_projects/domains/bar/servers/foofoo/logs/foobar.out
/files/abc/BAR/wls1234/user_projects/domains/GOO/servers/foofoo/logs/FBAR.out
/files/abc/FBAR/wls1234/user_projects/domains/GAR/servers/foofoo/logs/GBAR.out
BUT in inputs.conf, it matches a LOT more under /files
In simple english, I need to match:
/files/(abc or qqq)/*/wls*/user_projects/domains/*/servers/*/logs/*.out
Then your going to need to work with your blacklists and whitelists more. The monitor stanza doesn't allow for full regex.
[monitor:///files/*/wls1234/user_projects/domains/*/servers/*/logs]
whitelist = ^(foobar|FBAR|GBAR)\.out$
http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf
Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored input.
Use "..." for recursive directory
matching and "" for wildcard matching
in a single directory segment.
* "..." recurses through directories. This means that /foo/.../bar will
match foo/bar, foo/1/bar,
foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path.
For example: /foo/.../bar/...
* The asterisk () matches anything in a single path segment; unlike "...",
it does not recurse. For example,
/foo//bar matches the files /foo/bar,
/foo/1/bar, /foo/2/bar, etc. However,
it does not match /foo/1/2/bar . A
second example: /foo/m*r/bar matches
/foo/bar, /foo/mr/bar, /foo/mir/bar,
/foo/moor/bar, etc.
* You can combine "" and "..." as required: foo/.../bar/* matches any
file in the bar directory within the
specified path.
Nope, there are other 'logs' directories in other places in the /files directory tree (e.g. /files/abc/stuff/logs/XYZ.out) which I don't want to report.
Have you tried to use recursive directory matching?
[monitor:///files/.../logs]
whitelist = \w+\.out$
Or
[monitor:///files/.../logs]
whitelist = .out$
Should work.