Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

inputs.conf wildcards and whitelist question

minthu
New Member
‎07-29-2015 09:17 PM

i would like to monitor the following in different sourcetypes, but doesnt seem to get the whitelist correct
there will be other different folders and search just does not go to these other folders
/var/logs/.../mq-e*
/var/logs/.../err-*
/var/logs/.../warn-*
/var/logs/.../*

/var/logs/DNS/SU3000/WDNSAH8700/mq-eWDNSAH8700.log.th
in messagequeue

/var/logs/DNS/SU3000/WDNSAH8700/err-WDNSAH8700.log.th
in errorlog

/var/logs/DNS/SU3000/WDNSAH8700/warn-WDNSAH8700.log.th
in warninglog

/var/logs/DNS/SU3000/WDNSAH8700/WDNSAH8700.log.th
in mainlog

i tried different monitor stanza but nothing gives me the correct logging.

[monitor:///var/logs]
whitelist ="mq-e*.log.*"
sourcetype = messagequeue
index = unix

and tried [monitor:///var/logs/.../mq-s*.log.*] without whitelist, also did not work.

can someone please enlighten me?
appreciate it if anyone could point me to some material to learn about wildcard and whitelist syntaxes as well.

Tags (2)
0 Karma
Reply

aholzel
Communicator
‎07-30-2015 01:32 AM

Not sure if this is the problem but if you have a look at the inputs.conf documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

It says about whitelist:

whitelist = <regular expression>
 * If set, files from this input are monitored only if their path matches the specified regex.
 * Takes precedence over the deprecated _whitelist attribute, which functions the same way.

So it think that the whitelist needs to be something like:

whitelist = .mq-e.*log.

0 Karma
Reply

minthu
New Member
‎07-30-2015 09:40 PM

hello,

it works on single sourcetype but when i have multiple sourcetypes it only monitors the first one.


[monitor:///var/logs/]
recursive=true
whitelist =.mq-s.
sourcetype = messagequeue
index = automation
disabled=0
[monitor:///var/logs/]
recursive=true
whitelist =.err.
sourcetype = errlog
index = automation
disabled=0

not sure how we can use different sourcetypes for the same sub folders

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...