- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is it necessary or even valid to use a * (wildcard...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it necessary or even valid to use a * (wildcard) in an inputs.conf monitor stanza's path if I'm also specifying a whitelist?
Hi,
Is the following valid for an inputs.conf? Wondering if the last part of the monitor statement is necessary (or even valid), since a whitelist is also provided.
[monitor:///mgs/home/nclogs/SG_HTTP.W*]
disabled = false
followTail = 0
index = istr_security
sourcetype = bcoat_log
blacklist = .*FW.*|.*WLAN.*|.*PLUG.*|SG_SOCKS.*|SG_STREAM.*|SG_HTTP\.WCNGRTD01.*
whitelist = SG_HTTP\.WCNGRTD02.*\.log.gz|SG_HTTP\.WCNCWESTA01.*\.log.gz|SG_HTTP\.WCRTDDC01.*\.log.gz|SG_HTTP\.WCV001.*\.log.gz|SG
_HTTP\.WCNGMMK01.*\.log.gz|SG_HTTP\.WCCHNI01.*\.log.gz|SG_HTTP\.WCSLCGATE01.*\.log.gz|SG_HTTP\.WCSLCGATE02.*\.log.gz|SG_HTTP\.WCN
GSLCGATE01.*\.log.gz|SG_HTTP\.WCZ1C01.*\.log.gz|SG_HTTP\.WCNGWTC01.*\.log.gz|SG_HTTP\.WCZ1C02.*\.log.gz|SG_HTTP\.WCNCWESTA01.*\.l
og.gz
host_regex = /mgs/home/nclogs/SG_HTTP\.(W[^\.]*)(?=\..*)
ignoreOlderThan = 3d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The wildcard is valid in your monitor statement (also known as a "stanza"). Be aware that your whitelist and blacklist apply only to what matches your monitor statement.
So, first Splunk will find all files that match: monitor:///mgs/home/nclogs/SG_HTTP.W*
Then, out of those files, it will make a new list containing anything that matches your whitelist.
Finally, it takes that new list and filters out anything that is in your blacklist.
The result of those three steps is what will be indexed into Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you be more specific about which part of the monitor statement you are wondering is necessary?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The last part - the wild card. Instead of doing the wildcard, end it with "/", and just use the whitelist. Using the wildcard at the end and then the whitelist concerns me - is it valid?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
according to the docs, the files would have to match the whitelist anyway, so the wildcard probably isn't needed in the monitor stanza.
Also have a look at the Wildcards and whitelisting section in the following doc. It would seem like splunk is creating an implicit stanza from the longest non-wildcarded path and whitelisting the rest anyway.
http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Specifyinputpathswithwildcards
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
