Hi All,
I have a Splunk environment with deployment server and forwarders of nearly 200. In one of the deployment apps folders, I have updated the inputs.conf file with the below stanza
[monitor=///opt/.../actimize-logs/CCTM_RETAIL_(NFT|NFOT)_B[13579]/logs/access_logs/]
whitelist=((notify|score)(Customer|PaymentArrangement|Product|Rejection|IntPayment|PassReset|TravelMoney)\.(access.log))$
After deploying the serverclass, I am not able to receive the logs. I have checked the forwarder, but everything is fine and is sending other logs. So I doubt at the inputs stanza only. So can anyone help in identifying the mistake I have done in the regex?
Thanks in advance
First off I would encourage you to run your regex through regex101
https://regex101.com/r/koEOps/1
Next can you please provide a sample of the file names. You can also 'save' these in the regex101 as well as here.
Did you verify file permissions and did you look in /var/log/splunk on a forwarder where the data is?
Are you using a regex in the monitor as well? "(NFT|NFOT)"? If you read when and when Regex works (https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Specifyinputpathswithwildcards ).
You may need to add a * after your regex.
e.g.
(NFT|NFOT)*
Lastly you did not escape your last . (via .) which should not matter here, but it's good practice.