In inputs.conf, is a fschange stanza itself allowed to have wildcards (like monitors can, or props.conf stanzas can)?
If so, which style is accepted, regular expressions (.* style) or weird Splunk stanza expressions (... style)?
Yes.
from inputs.conf.spec we have:
#*******
# File system monitoring filters:
#*******
[filter:<filtertype>:<filtername>]
* Define a filter of type <filtertype> and name it <filtername>.
<filtertype>
* Filter types are either 'blacklist' or 'whitelist.'
* A whitelist filter processes all file names that match the regex list.
* A blacklist filter skips all file names that match the regex list.
<filtername>
* The filter name is used in the comma-separated list when defining a file system monitor.
regex<integer> = <regex>
* Blacklist and whitelist filters can include a set of regexes.
* The name of each regex MUST be 'regex<integer>', where <integer> starts at 1 and increments.
* Splunk applies each regex in numeric order:
regex1=<regex>
regex2=<regex>
...
One thing to note however is that whitelist and blacklist for fschange are slightly different from the same in the [monitor] stanzas, in fschange, they work like firewall-whitelists/blacklists. (ie, a whitelist does not create an implicit blacklist and vice-versa)
Also note, you cannot use [monitor] and [fschange] for the same directory/file
Lastly, regular expressions are the allowed ones. (.* rex)
For more info: here
i believe so. Best thing to do is actually by trying it...
So in other words, the stanza itself: [fschange:/path/.../to/path/] is a No?