Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extended Regex in Inputs.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extended Regex in Inputs.conf
I have some complicated Extended Regexes that give the right files when used with a find /|grep -E "regex" but do not work in inputs.conf.
Here's an example:
[monitor:///files]
whitelist = \/(qqq|abc)\/\w+\/wls[0-9]+\/user_projects\/domains\/\w+\/servers\/\w+\/logs\/\w+\.out
Which would match any of these files when used with a find /|grep
/files/qqq/foo/wls1234/user_projects/domains/bar/servers/foofoo/logs/foobar.out
/files/abc/BAR/wls1234/user_projects/domains/GOO/servers/foofoo/logs/FBAR.out
/files/abc/FBAR/wls1234/user_projects/domains/GAR/servers/foofoo/logs/GBAR.out
BUT in inputs.conf, it matches a LOT more under /files
In simple english, I need to match:
/files/(abc or qqq)/*/wls*/user_projects/domains/*/servers/*/logs/*.out
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then your going to need to work with your blacklists and whitelists more. The monitor stanza doesn't allow for full regex.
[monitor:///files/*/wls1234/user_projects/domains/*/servers/*/logs]
whitelist = ^(foobar|FBAR|GBAR)\.out$
http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf
Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored input.
Use "..." for recursive directory
matching and "" for wildcard matching
in a single directory segment.
* "..." recurses through directories. This means that /foo/.../bar will
match foo/bar, foo/1/bar,
foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path.
For example: /foo/.../bar/...
* The asterisk () matches anything in a single path segment; unlike "...",
it does not recurse. For example,
/foo//bar matches the files /foo/bar,
/foo/1/bar, /foo/2/bar, etc. However,
it does not match /foo/1/2/bar . A
second example: /foo/m*r/bar matches
/foo/bar, /foo/mr/bar, /foo/mir/bar,
/foo/moor/bar, etc.
* You can combine "" and "..." as required: foo/.../bar/* matches any
file in the bar directory within the
specified path.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope, there are other 'logs' directories in other places in the /files directory tree (e.g. /files/abc/stuff/logs/XYZ.out) which I don't want to report.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried to use recursive directory matching?
[monitor:///files/.../logs]
whitelist = \w+\.out$
Or
[monitor:///files/.../logs]
whitelist = .out$
Should work.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
