Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extended Regex in Inputs.conf

glitchcowboy
Path Finder
‎09-06-2012 12:40 PM

I have some complicated Extended Regexes that give the right files when used with a find /|grep -E "regex" but do not work in inputs.conf.

Here's an example:

[monitor:///files]
whitelist = \/(qqq|abc)\/\w+\/wls[0-9]+\/user_projects\/domains\/\w+\/servers\/\w+\/logs\/\w+\.out

Which would match any of these files when used with a find /|grep

/files/qqq/foo/wls1234/user_projects/domains/bar/servers/foofoo/logs/foobar.out
/files/abc/BAR/wls1234/user_projects/domains/GOO/servers/foofoo/logs/FBAR.out
/files/abc/FBAR/wls1234/user_projects/domains/GAR/servers/foofoo/logs/GBAR.out

BUT in inputs.conf, it matches a LOT more under /files

In simple english, I need to match:

/files/(abc or qqq)/*/wls*/user_projects/domains/*/servers/*/logs/*.out

Tags (2)
0 Karma
Reply

jgedeon120
Contributor
‎09-06-2012 04:28 PM

Then your going to need to work with your blacklists and whitelists more. The monitor stanza doesn't allow for full regex.

[monitor:///files/*/wls1234/user_projects/domains/*/servers/*/logs]
whitelist = ^(foobar|FBAR|GBAR)\.out$

http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored input.
Use "..." for recursive directory

matching and "" for wildcard matching
in a single directory segment.
* "..." recurses through directories. This means that /foo/.../bar will
match foo/bar, foo/1/bar,

foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path.
For example: /foo/.../bar/...
* The asterisk () matches anything in a single path segment; unlike "...",
it does not recurse. For example,

/foo//bar matches the files /foo/bar,
/foo/1/bar, /foo/2/bar, etc. However,
it does not match /foo/1/2/bar . A
second example: /foo/m*r/bar matches
/foo/bar, /foo/mr/bar, /foo/mir/bar,
/foo/moor/bar, etc.
* You can combine "" and "..." as required: foo/.../bar/* matches any
file in the bar directory within the

specified path.

Reply

glitchcowboy
Path Finder
‎09-06-2012 02:24 PM

Nope, there are other 'logs' directories in other places in the /files directory tree (e.g. /files/abc/stuff/logs/XYZ.out) which I don't want to report.

0 Karma
Reply

jgedeon120
Contributor
‎09-06-2012 01:28 PM

Have you tried to use recursive directory matching?

[monitor:///files/.../logs]
whitelist = \w+\.out$

Or
[monitor:///files/.../logs]
whitelist = .out$

Should work.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...