Solved: whitelist regex help with multiple strings

joesrepsolc · ‎03-19-2019

Trying to build a rather simple inputs.conf (or so i thought) to grab two statis named files, and the last file has a date built in, so I want to get them all, and any new ones that get created moving forward. I only need help with the whitelist part of the inputs, but can't seem to figure out the combo to get this to work.

catalina.out
vpAppLogClient.log
localhost_access_log.2019-03-19.txt (this one changes everyday)

[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = /catalina.out$|/vpAppLogClient.log$|?????

Apprecaite the help everyone!!!

harsmarvania57 · ‎03-20-2019

Hi,

Instead of creating multiple stanza, you can create single monitor input with regex. That regex will capture catalina.out , vpAppLogClient.log and localhost_access_log.YYYY-MM-DD.txt

inputs.conf

[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = (catalina\.out|vpAppLogClient\.log|localhost_access_log\.\d{4}\-\d{2}\-\d{2}\.txt)$

EDIT: Fixed typo

View solution in original post

harsmarvania57 · ‎03-20-2019

Hi,

Instead of creating multiple stanza, you can create single monitor input with regex. That regex will capture catalina.out , vpAppLogClient.log and localhost_access_log.YYYY-MM-DD.txt

inputs.conf

[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = (catalina\.out|vpAppLogClient\.log|localhost_access_log\.\d{4}\-\d{2}\-\d{2}\.txt)$

EDIT: Fixed typo

joesrepsolc · ‎03-20-2019

Trying this now, but hoping that it works! Reading thru the regex you posted... interesting stuff.

Question: Why do I need the "(" and ")" parenthesis around the statement? I missed that on one of my attempts. I also missed the "$" at the end, but was doing that on the end of each file name. Hmmm. Clearly I don't know regex well enough.

harsmarvania57 · ‎03-20-2019

In regex () is capturing groups but in this monitor stanza there is no difference if we use capturing group or non-capturing group (?:). I have used () because I am using OR | and ending with $ for all 3 files in common. $ is end of line

joesrepsolc · ‎03-20-2019

Thanks for the quick response. And THIS WORKED. Super cool. Thank you everyone.

harsmarvania57 · ‎03-20-2019

Welcome 🙂

whrg · ‎03-20-2019

Hello @joesrepsolc,

I think it is easier here to create multiple monitor stanzas without the whitelist option:

[monitor:///opt/web/tomcatA/logs/catalina.out]
index = web
...

[monitor:///opt/web/tomcatA/logs/vpAppLogClient.log]
index = web
...

[monitor:///opt/web/tomcatA/logs/localhost_access_log.*.txt]
index = web
...

joesrepsolc · ‎03-20-2019

I am aware of doing it this way, but it does make the length/size of the inputs.conf file much larger and a little harder to manage. But I do appreciate the response. I really wanted to understand the REGEX component so I can utilize the whitelist function.

whitelist regex help with multiple strings

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk