Trying to build a rather simple inputs.conf (or so i thought) to grab two statis named files, and the last file has a date built in, so I want to get them all, and any new ones that get created moving forward. I only need help with the whitelist part of the inputs, but can't seem to figure out the combo to get this to work.
catalina.out
vpAppLogClient.log
localhost_access_log.2019-03-19.txt (this one changes everyday)
[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = /catalina.out$|/vpAppLogClient.log$|?????
Apprecaite the help everyone!!!
Hi,
Instead of creating multiple stanza, you can create single monitor input with regex. That regex will capture catalina.out
, vpAppLogClient.log
and localhost_access_log.YYYY-MM-DD.txt
inputs.conf
[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = (catalina\.out|vpAppLogClient\.log|localhost_access_log\.\d{4}\-\d{2}\-\d{2}\.txt)$
EDIT: Fixed typo
Hi,
Instead of creating multiple stanza, you can create single monitor input with regex. That regex will capture catalina.out
, vpAppLogClient.log
and localhost_access_log.YYYY-MM-DD.txt
inputs.conf
[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = (catalina\.out|vpAppLogClient\.log|localhost_access_log\.\d{4}\-\d{2}\-\d{2}\.txt)$
EDIT: Fixed typo
Trying this now, but hoping that it works! Reading thru the regex you posted... interesting stuff.
Question: Why do I need the "(" and ")" parenthesis around the statement? I missed that on one of my attempts. I also missed the "$" at the end, but was doing that on the end of each file name. Hmmm. Clearly I don't know regex well enough.
In regex ()
is capturing groups but in this monitor stanza there is no difference if we use capturing group or non-capturing group (?:)
. I have used ()
because I am using OR |
and ending with $
for all 3 files in common. $
is end of line
Thanks for the quick response. And THIS WORKED. Super cool. Thank you everyone.
Welcome 🙂
Hello @joesrepsolc,
I think it is easier here to create multiple monitor stanzas without the whitelist option:
[monitor:///opt/web/tomcatA/logs/catalina.out]
index = web
...
[monitor:///opt/web/tomcatA/logs/vpAppLogClient.log]
index = web
...
[monitor:///opt/web/tomcatA/logs/localhost_access_log.*.txt]
index = web
...
I am aware of doing it this way, but it does make the length/size of the inputs.conf file much larger and a little harder to manage. But I do appreciate the response. I really wanted to understand the REGEX component so I can utilize the whitelist function.