Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extended Regex in Inputs.conf

glitchcowboy
Path Finder
‎09-06-2012 12:40 PM

I have some complicated Extended Regexes that give the right files when used with a find /|grep -E "regex" but do not work in inputs.conf.

Here's an example:

[monitor:///files]
whitelist = \/(qqq|abc)\/\w+\/wls[0-9]+\/user_projects\/domains\/\w+\/servers\/\w+\/logs\/\w+\.out

Which would match any of these files when used with a find /|grep

/files/qqq/foo/wls1234/user_projects/domains/bar/servers/foofoo/logs/foobar.out
/files/abc/BAR/wls1234/user_projects/domains/GOO/servers/foofoo/logs/FBAR.out
/files/abc/FBAR/wls1234/user_projects/domains/GAR/servers/foofoo/logs/GBAR.out

BUT in inputs.conf, it matches a LOT more under /files

In simple english, I need to match:

/files/(abc or qqq)/*/wls*/user_projects/domains/*/servers/*/logs/*.out

Tags (2)
0 Karma
Reply

jgedeon120
Contributor
‎09-06-2012 04:28 PM

Then your going to need to work with your blacklists and whitelists more. The monitor stanza doesn't allow for full regex.

[monitor:///files/*/wls1234/user_projects/domains/*/servers/*/logs]
whitelist = ^(foobar|FBAR|GBAR)\.out$

http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored input.
Use "..." for recursive directory

matching and "" for wildcard matching
in a single directory segment.
* "..." recurses through directories. This means that /foo/.../bar will
match foo/bar, foo/1/bar,

foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path.
For example: /foo/.../bar/...
* The asterisk () matches anything in a single path segment; unlike "...",
it does not recurse. For example,

/foo//bar matches the files /foo/bar,
/foo/1/bar, /foo/2/bar, etc. However,
it does not match /foo/1/2/bar . A
second example: /foo/m*r/bar matches
/foo/bar, /foo/mr/bar, /foo/mir/bar,
/foo/moor/bar, etc.
* You can combine "" and "..." as required: foo/.../bar/* matches any
file in the bar directory within the

specified path.

Reply

glitchcowboy
Path Finder
‎09-06-2012 02:24 PM

Nope, there are other 'logs' directories in other places in the /files directory tree (e.g. /files/abc/stuff/logs/XYZ.out) which I don't want to report.

0 Karma
Reply

jgedeon120
Contributor
‎09-06-2012 01:28 PM

Have you tried to use recursive directory matching?

[monitor:///files/.../logs]
whitelist = \w+\.out$

Or
[monitor:///files/.../logs]
whitelist = .out$

Should work.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...