Splunk Search

Extended Regex in Inputs.conf

glitchcowboy
Path Finder

I have some complicated Extended Regexes that give the right files when used with a find /|grep -E "regex" but do not work in inputs.conf.

Here's an example:

[monitor:///files]
whitelist = \/(qqq|abc)\/\w+\/wls[0-9]+\/user_projects\/domains\/\w+\/servers\/\w+\/logs\/\w+\.out

Which would match any of these files when used with a find /|grep

/files/qqq/foo/wls1234/user_projects/domains/bar/servers/foofoo/logs/foobar.out
/files/abc/BAR/wls1234/user_projects/domains/GOO/servers/foofoo/logs/FBAR.out
/files/abc/FBAR/wls1234/user_projects/domains/GAR/servers/foofoo/logs/GBAR.out

BUT in inputs.conf, it matches a LOT more under /files

In simple english, I need to match:

/files/(abc or qqq)/*/wls*/user_projects/domains/*/servers/*/logs/*.out

Tags (2)
0 Karma

jgedeon120
Contributor

Then your going to need to work with your blacklists and whitelists more. The monitor stanza doesn't allow for full regex.

[monitor:///files/*/wls1234/user_projects/domains/*/servers/*/logs]
whitelist = ^(foobar|FBAR|GBAR)\.out$

http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored input.
Use "..." for recursive directory

matching and "" for wildcard matching
in a single directory segment.
* "..." recurses through directories. This means that /foo/.../bar will
match foo/bar, foo/1/bar,

foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path.
For example: /foo/.../bar/...
* The asterisk (
) matches anything in a single path segment; unlike "...",
it does not recurse. For example,

/foo//bar matches the files /foo/bar,
/foo/1/bar, /foo/2/bar, etc. However,
it does not match /foo/1/2/bar . A
second example: /foo/m*r/bar matches
/foo/bar, /foo/mr/bar, /foo/mir/bar,
/foo/moor/bar, etc.
* You can combine "
" and "..." as required: foo/.../bar/* matches any
file in the bar directory within the

specified path.

glitchcowboy
Path Finder

Nope, there are other 'logs' directories in other places in the /files directory tree (e.g. /files/abc/stuff/logs/XYZ.out) which I don't want to report.

0 Karma

jgedeon120
Contributor

Have you tried to use recursive directory matching?

[monitor:///files/.../logs]
whitelist = \w+\.out$

Or
[monitor:///files/.../logs]
whitelist = .out$

Should work.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...