Splunk Search

Regex in Whitelist, in inputs.conf... Help!

mfeeny1
Path Finder

Hi... Pls forgive me, I have not used Regular Expressions in quite a while, and the following one really threw me. I'm looking for some clarification (enlightenment, maybe??? :slightly_smiling_face: ...

I found the following in inputs.conf on a certain Universal Forwarder:

whitelist = r.log$|t.log$|s_log$

I would have THOUGHT that only the following - very specific - log names would match:

r.log, t.log, s_log

But, I'm told that anything ENDING in these strings will match, e.g.:

avatar.log, long-long-stringt.log, whatever-you-wants_log

Is the second correct? If so, it confuses me that I wouldn't have to precede each regex with something like "dot star" to tell it that any number of characters can precede the "r".

Any clarification will be greatly appreciated!!

mfeeny1

Tags (2)
0 Karma

southeringtonp
Motivator

Splunk is trying to match any portion of the string.

The '$' character will match at the end of the string.

Similarly, you can match ("anchor") at the beginning of the string by using '^'.

Remember too that a '.' will match any single character, not just a literal dot, unless you escape it with a slash first.

Try this:

whitelist = (^r\.log$)|(^t\.log$)|(^s\.log$)
0 Karma

lguinn2
Legend

FWIW, whitelists and blacklists ARE regular expressions. But the monitor stanza itself is NOT!

[monitor://]

is NOT a reg expr & it isn't a normal wild card either! From inputs.conf.spec:

"You can use wildcards to specify your input path for monitored input. Use "..." for recursive directory matching and "*" for wildcard matching in a single directory segment"

I hope I am not confusing here, but I've seen people get bitten when they think that the whitelists, blacklists & the monitor stanza all use the same syntax.

Also see props.conf.spec re: the [source::] stanza

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...