In inputs.conf for monitor stanza, can we write regex?
If so,
/opt/splunk/cgate*
matches (/opt/splunk/cgateee)
or (/opt/splunk/cgateabd)
Can we use wildcards(*) for whitelist attribute?
The * wildcard is available. Explained nicely at Note concerning wildcards and monitor:
It says -
I usually check myself by running the monitor part in ls
-
ls /opt/splunk/cgate*
. If it returns the desired /opt/splunk/cgateee
and/or /opt/splunk/cgateabd
I know I'm fine.
Sure, you can add regex to whitelist/blacklist in inputs.conf.
You can found the doc here: (http://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata).
If you add whitelist = \.log$
, Splunk will monitor only *.log files