Solved: Re: whitelist regex help with multiple strings

joesrepsolc · ‎03-19-2019

Trying to build a rather simple inputs.conf (or so i thought) to grab two statis named files, and the last file has a date built in, so I want to get them all, and any new ones that get created moving forward. I only need help with the whitelist part of the inputs, but can't seem to figure out the combo to get this to work.

catalina.out
vpAppLogClient.log
localhost_access_log.2019-03-19.txt (this one changes everyday)

[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = /catalina.out$|/vpAppLogClient.log$|?????

Apprecaite the help everyone!!!

harsmarvania57 · ‎03-20-2019

Hi,

Instead of creating multiple stanza, you can create single monitor input with regex. That regex will capture catalina.out , vpAppLogClient.log and localhost_access_log.YYYY-MM-DD.txt

inputs.conf

[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = (catalina\.out|vpAppLogClient\.log|localhost_access_log\.\d{4}\-\d{2}\-\d{2}\.txt)$

EDIT: Fixed typo

View solution in original post

harsmarvania57 · ‎03-20-2019

Hi,

Instead of creating multiple stanza, you can create single monitor input with regex. That regex will capture catalina.out , vpAppLogClient.log and localhost_access_log.YYYY-MM-DD.txt

inputs.conf

[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = (catalina\.out|vpAppLogClient\.log|localhost_access_log\.\d{4}\-\d{2}\-\d{2}\.txt)$

EDIT: Fixed typo

joesrepsolc · ‎03-20-2019

Trying this now, but hoping that it works! Reading thru the regex you posted... interesting stuff.

Question: Why do I need the "(" and ")" parenthesis around the statement? I missed that on one of my attempts. I also missed the "$" at the end, but was doing that on the end of each file name. Hmmm. Clearly I don't know regex well enough.

harsmarvania57 · ‎03-20-2019

In regex () is capturing groups but in this monitor stanza there is no difference if we use capturing group or non-capturing group (?:). I have used () because I am using OR | and ending with $ for all 3 files in common. $ is end of line

joesrepsolc · ‎03-20-2019

Thanks for the quick response. And THIS WORKED. Super cool. Thank you everyone.

harsmarvania57 · ‎03-20-2019

Welcome 🙂

whrg · ‎03-20-2019

Hello @joesrepsolc,

I think it is easier here to create multiple monitor stanzas without the whitelist option:

[monitor:///opt/web/tomcatA/logs/catalina.out]
index = web
...

[monitor:///opt/web/tomcatA/logs/vpAppLogClient.log]
index = web
...

[monitor:///opt/web/tomcatA/logs/localhost_access_log.*.txt]
index = web
...

joesrepsolc · ‎03-20-2019

I am aware of doing it this way, but it does make the length/size of the inputs.conf file much larger and a little harder to manage. But I do appreciate the response. I really wanted to understand the REGEX component so I can utilize the whitelist function.

whitelist regex help with multiple strings

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation