Getting Data In

fschange stanza: allows wildcards?

Jason
Motivator

In inputs.conf, is a fschange stanza itself allowed to have wildcards (like monitors can, or props.conf stanzas can)?

If so, which style is accepted, regular expressions (.* style) or weird Splunk stanza expressions (... style)?

Tags (1)
0 Karma

Genti
Splunk Employee
Splunk Employee

Yes.
from inputs.conf.spec we have:

#*******
# File system monitoring filters:
#*******

[filter:<filtertype>:<filtername>]
* Define a filter of type <filtertype> and name it <filtername>.

<filtertype>
* Filter types are either 'blacklist' or 'whitelist.' 
* A whitelist filter processes all file names that match the regex list.
* A blacklist filter skips all file names that match the regex list.

<filtername>
* The filter name is used in the comma-separated list when defining a file system monitor.

regex<integer> = <regex>    
* Blacklist and whitelist filters can include a set of regexes.
* The name of each regex MUST be 'regex<integer>', where <integer> starts at 1 and increments. 
* Splunk applies each regex in numeric order:
  regex1=<regex>
  regex2=<regex>
  ...

One thing to note however is that whitelist and blacklist for fschange are slightly different from the same in the [monitor] stanzas, in fschange, they work like firewall-whitelists/blacklists. (ie, a whitelist does not create an implicit blacklist and vice-versa)

Also note, you cannot use [monitor] and [fschange] for the same directory/file

Lastly, regular expressions are the allowed ones. (.* rex)

For more info: here

0 Karma

Genti
Splunk Employee
Splunk Employee

i believe so. Best thing to do is actually by trying it...

0 Karma

Jason
Motivator

So in other words, the stanza itself: [fschange:/path/.../to/path/] is a No?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...