Solved: Regex in Whitelist, in inputs.conf regex help

aa70627 · ‎02-27-2018

I'm trying to monitor log files within my application for the error & fatal logs, which can look like
web-error.log
web-error.log2018-02-01
web-error.log2018-02-02
web-error.log2018-02-02

There's other types of logs in the same directory that follows similar pattern such as web-info.log, web-debug.log, web-warn.log. For now, I'm having issues setting up monitoring just the web.log and all its archived logs.

My inputs.conf is setup with this:
[monitor:////wsbbat/web/dev/logs]
index=webdev
sourcetype = log4j
source = weberrors
whitelist = web-error.log*
crcSalt =

[monitor:////wsbbat/web/dev/logs]
index=webdev
sourcetype = log4j
source = webfatal
whitelist = web-fatal.log*
crcSalt =

I've tried other whitelist pattern such as ones below but none of these patterns seems to work

whitelist = web-error.log$|web.log\d{4}-\d{2}-\d{2}
whitelist = web-error.log$|web.log\d{4}-\d{2}-\d{2}$
whitelist = web-error.log$|web.log[0-9-]+
whitelist = web-error.log$|web.log.*

somesoni2 · ‎02-27-2018

Just use like this
Fixed typo

[monitor:////wsbbat/web/dev/logs/web-error.log*]
index=web_dev
sourcetype = log4j
source = web_errors

[monitor:////wsbbat/web/dev/logs/web-fatal.log*]
index=web_dev
sourcetype = log4j
source = web_fatal

View solution in original post

aa70627 · ‎02-27-2018

BTW thanks. Trying it out now.

is the second one a typo
[monitor:////wsbbat/web/dev/logs/whitelist = web-fatal.log*]

did you mean
[monitor:////wsbbat/web/dev/logs/web-error.log*]
index=webdev
sourcetype = log4j
source = weberrors

[monitor:////wsbbat/web/dev/logs/web-fatal.log*]
index=webdev
sourcetype = log4j
source = webfatal

FrankVl · ‎02-27-2018

Looks like it 🙂

aa70627 · ‎03-01-2018

Thanks that worked for me.

Regex in Whitelist, in inputs.conf regex help

Re: Regex in Whitelist, in inputs.conf regex help

Re: Regex in Whitelist, in inputs.conf regex help

Re: Regex in Whitelist, in inputs.conf regex help

Re: Regex in Whitelist, in inputs.conf regex help