Splunk Search

Extended Regex in Inputs.conf

glitchcowboy
Path Finder

I have some complicated Extended Regexes that give the right files when used with a find /|grep -E "regex" but do not work in inputs.conf.

Here's an example:

[monitor:///files]
whitelist = \/(qqq|abc)\/\w+\/wls[0-9]+\/user_projects\/domains\/\w+\/servers\/\w+\/logs\/\w+\.out

Which would match any of these files when used with a find /|grep

/files/qqq/foo/wls1234/user_projects/domains/bar/servers/foofoo/logs/foobar.out
/files/abc/BAR/wls1234/user_projects/domains/GOO/servers/foofoo/logs/FBAR.out
/files/abc/FBAR/wls1234/user_projects/domains/GAR/servers/foofoo/logs/GBAR.out

BUT in inputs.conf, it matches a LOT more under /files

In simple english, I need to match:

/files/(abc or qqq)/*/wls*/user_projects/domains/*/servers/*/logs/*.out

Tags (2)
0 Karma

jgedeon120
Contributor

Then your going to need to work with your blacklists and whitelists more. The monitor stanza doesn't allow for full regex.

[monitor:///files/*/wls1234/user_projects/domains/*/servers/*/logs]
whitelist = ^(foobar|FBAR|GBAR)\.out$

http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored input.
Use "..." for recursive directory

matching and "" for wildcard matching
in a single directory segment.
* "..." recurses through directories. This means that /foo/.../bar will
match foo/bar, foo/1/bar,

foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path.
For example: /foo/.../bar/...
* The asterisk (
) matches anything in a single path segment; unlike "...",
it does not recurse. For example,

/foo//bar matches the files /foo/bar,
/foo/1/bar, /foo/2/bar, etc. However,
it does not match /foo/1/2/bar . A
second example: /foo/m*r/bar matches
/foo/bar, /foo/mr/bar, /foo/mir/bar,
/foo/moor/bar, etc.
* You can combine "
" and "..." as required: foo/.../bar/* matches any
file in the bar directory within the

specified path.

glitchcowboy
Path Finder

Nope, there are other 'logs' directories in other places in the /files directory tree (e.g. /files/abc/stuff/logs/XYZ.out) which I don't want to report.

0 Karma

jgedeon120
Contributor

Have you tried to use recursive directory matching?

[monitor:///files/.../logs]
whitelist = \w+\.out$

Or
[monitor:///files/.../logs]
whitelist = .out$

Should work.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...