Hi,
Is the following valid for an inputs.conf? Wondering if the last part of the monitor statement is necessary (or even valid), since a whitelist is also provided.
[monitor:///mgs/home/nclogs/SG_HTTP.W*]
disabled = false
followTail = 0
index = istr_security
sourcetype = bcoat_log
blacklist = .*FW.*|.*WLAN.*|.*PLUG.*|SG_SOCKS.*|SG_STREAM.*|SG_HTTP\.WCNGRTD01.*
whitelist = SG_HTTP\.WCNGRTD02.*\.log.gz|SG_HTTP\.WCNCWESTA01.*\.log.gz|SG_HTTP\.WCRTDDC01.*\.log.gz|SG_HTTP\.WCV001.*\.log.gz|SG
_HTTP\.WCNGMMK01.*\.log.gz|SG_HTTP\.WCCHNI01.*\.log.gz|SG_HTTP\.WCSLCGATE01.*\.log.gz|SG_HTTP\.WCSLCGATE02.*\.log.gz|SG_HTTP\.WCN
GSLCGATE01.*\.log.gz|SG_HTTP\.WCZ1C01.*\.log.gz|SG_HTTP\.WCNGWTC01.*\.log.gz|SG_HTTP\.WCZ1C02.*\.log.gz|SG_HTTP\.WCNCWESTA01.*\.l
og.gz
host_regex = /mgs/home/nclogs/SG_HTTP\.(W[^\.]*)(?=\..*)
ignoreOlderThan = 3d
The wildcard is valid in your monitor statement (also known as a "stanza"). Be aware that your whitelist and blacklist apply only to what matches your monitor statement.
So, first Splunk will find all files that match: monitor:///mgs/home/nclogs/SG_HTTP.W*
Then, out of those files, it will make a new list containing anything that matches your whitelist.
Finally, it takes that new list and filters out anything that is in your blacklist.
The result of those three steps is what will be indexed into Splunk.
Could you be more specific about which part of the monitor statement you are wondering is necessary?
The last part - the wild card. Instead of doing the wildcard, end it with "/", and just use the whitelist. Using the wildcard at the end and then the whitelist concerns me - is it valid?
Anyone?
according to the docs, the files would have to match the whitelist anyway, so the wildcard probably isn't needed in the monitor stanza.
Also have a look at the Wildcards and whitelisting section in the following doc. It would seem like splunk is creating an implicit stanza from the longest non-wildcarded path and whitelisting the rest anyway.
http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Specifyinputpathswithwildcards