Splunk Search

Extended Regex in Inputs.conf

glitchcowboy
Path Finder

I have some complicated Extended Regexes that give the right files when used with a find /|grep -E "regex" but do not work in inputs.conf.

Here's an example:

[monitor:///files]
whitelist = \/(qqq|abc)\/\w+\/wls[0-9]+\/user_projects\/domains\/\w+\/servers\/\w+\/logs\/\w+\.out

Which would match any of these files when used with a find /|grep

/files/qqq/foo/wls1234/user_projects/domains/bar/servers/foofoo/logs/foobar.out
/files/abc/BAR/wls1234/user_projects/domains/GOO/servers/foofoo/logs/FBAR.out
/files/abc/FBAR/wls1234/user_projects/domains/GAR/servers/foofoo/logs/GBAR.out

BUT in inputs.conf, it matches a LOT more under /files

In simple english, I need to match:

/files/(abc or qqq)/*/wls*/user_projects/domains/*/servers/*/logs/*.out

Tags (2)
0 Karma

jgedeon120
Contributor

Then your going to need to work with your blacklists and whitelists more. The monitor stanza doesn't allow for full regex.

[monitor:///files/*/wls1234/user_projects/domains/*/servers/*/logs]
whitelist = ^(foobar|FBAR|GBAR)\.out$

http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored input.
Use "..." for recursive directory

matching and "" for wildcard matching
in a single directory segment.
* "..." recurses through directories. This means that /foo/.../bar will
match foo/bar, foo/1/bar,

foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path.
For example: /foo/.../bar/...
* The asterisk (
) matches anything in a single path segment; unlike "...",
it does not recurse. For example,

/foo//bar matches the files /foo/bar,
/foo/1/bar, /foo/2/bar, etc. However,
it does not match /foo/1/2/bar . A
second example: /foo/m*r/bar matches
/foo/bar, /foo/mr/bar, /foo/mir/bar,
/foo/moor/bar, etc.
* You can combine "
" and "..." as required: foo/.../bar/* matches any
file in the bar directory within the

specified path.

glitchcowboy
Path Finder

Nope, there are other 'logs' directories in other places in the /files directory tree (e.g. /files/abc/stuff/logs/XYZ.out) which I don't want to report.

0 Karma

jgedeon120
Contributor

Have you tried to use recursive directory matching?

[monitor:///files/.../logs]
whitelist = \w+\.out$

Or
[monitor:///files/.../logs]
whitelist = .out$

Should work.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...