I try to index sybase logs which are located in /sybase/SID/ASE-1(5|6)_0/install/SID.log (SID is variable System-ID)
In Whitelist i only want to monitor files with FL2.log or ACE.log normal regex should be ^[A-Z0-9]{3}.log$
I will use following monitor-stanza on Universal Forwarder:
[monitor:///sybase/*/ASE-1*_0/install/]
whitelist=^[A-Z0-9]{3}\.log$
sourcetype=source_sybase
index=ios_db
_TCP_ROUTING=splunk_main
disabled=false
But then nothing is indexed.
If I use the same stanza without the ^(anchor), then too many files like SID.log or SID_JSAGENT.log are indexed.
[monitor:///sybase/*/ASE-1*_0/install/]
whitelist=[A-Z0-9]{3}\.log$
sourcetype=source_sybase
index=ios_db
_TCP_ROUTING=splunk_main
disabled=false
Does someone have an idea why this is not working or is this a bug in splunk?
Remember, the regex is matching against ANY PART OF the incoming file name, including the directory. The same regex DOES match those SID_JSAGENT.log
files ... the ENT.log
part.
Try this...
whitelist=\/[A-Z0-9]{3}\.log$
updated to escape the slash.
Remember, the regex is matching against ANY PART OF the incoming file name, including the directory. The same regex DOES match those SID_JSAGENT.log
files ... the ENT.log
part.
Try this...
whitelist=\/[A-Z0-9]{3}\.log$
updated to escape the slash.
Yes that is correct i forgot that is the complete file name with directory. In your answer is only missing the escape before the backslash. Following is working for me:
[monitor:///sybase/*/ASE-1*_0/install/]
whitelist=\/[A-Z0-9]{3}\.log$
sourcetype=source_sybase
Thanks for your answer.
updated. Please accept the answer so that the question will show complete.