Re: whitelist syntax - inputs.conf

nathanlhopkins · ‎05-18-2013

I'd like to index files in /DIR/autosys/logs as below;

Linux equivalent:
cd /DIR/autosys/logs
ls app*ua1*START_MT*

Please can someone help me correct below:

[monitor:///DIR/autosys/logs]
whitelist = app\ua1\STOP_MT\$
disabled = false
index = test_index

dwaddle · ‎05-18-2013

This should work:

[monitor:///DIR/autosys/logs] 
whitelist = app.*ua1.*START_MT.*$
disabled = false 
index = test_index

Also, this should work just as well:

[monitor:///DIR/autosys/logs/app*ua1*START_MT*] 
disabled = false 
index = test_index

Whitelists and blacklists are just regular expressions. The equivalent to a * glob (shell expansion) is ".*". The best way to visualize how whitelists/blacklists work from a unix point of view is

find $STARTDIR -print | egrep "$WHITELIST" | egrep -v "$BLACKLIST"

nathanlhopkins · ‎05-22-2013

Many thanks - I didn't really need the whitelist as you pointed out

dwaddle · ‎05-19-2013

easiest way to deal with the markdown formatting is to actually use a code block (4 spaces)

nathanlhopkins · ‎05-19-2013

sorry - I didn't realise markdown was removing my *'s - i'm after: ls app*ua1*START_MT*

nathanlhopkins · ‎05-19-2013

sorry - something seems to be wrong with pasting into these boxes - i'm after:

ls app*ua1*START_MT*

whitelist syntax - inputs.conf

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!