Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to use regex to index logs

pimco_rgoyal
Observer
‎10-01-2017 09:07 PM

Hi, I wish to configure splunk forwarder to pick logs from a directory that match any of the below patterns. Essentially anything that matches the regex "/^(jacket.)?[^\.]*-[^\.]*(.jvm)?.log$/". I tried to make below changes to inputs.conf but it is not working as expected. Can someone help guide how to debug further ?

  • may start with “jacket.”
  • must have at least one hyphen
  • must end in “.log” or “.jvm.log”
  • must not have any other “.” characters

Inputs.conf

[monitor:///base/apps/logs]
disabled = false
index = test
sourcetype = _json
whitelist = ^(jacket.)?[^\.]*-[^\.]*(.jvm)?.log$
blacklist = \.gz$
0 Karma
Reply

FrankVl
Ultra Champion
‎05-14-2018 07:07 AM

I took the liberty of editing your question, to put your code as code, to prevent special characters from dissapearing.

From inputs.conf spec:
whitelist =
* If set, files from this input are monitored only if their path matches the specified regex.

So the regex should match the path. Putting a ^ in it, which matches start of the string, and then only trying to match the filename is guaranteed to fail.

So for starters get rid of the ^ and put the folder instead:
/base/apps/logs/(jacket.)?[^\.]*-[^\.]*(.jvm)?.log$

Then, if there should only be 1 - in the name, the two classes left and right from it, should exclude the -. Also: the . characters need escaping. So we end up with:
/base/apps/logs/(jacket\.)?[^\.- ]*-[^\.-]*(\.jvm)?\.log$

Or, if you don't want to include the path, then specify that there shouldn't be any forward slashes in the match:
/(jacket\.)?[^\.- /]*-[^\.-/]*(\.jvm)?\.log$

Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-01-2017 10:16 PM 
may start with “jacket.”  -------------  ^(jacket.)?
must have at least one hyphen ---- (-)one hyphen added
must end in “.log” or “.jvm.log” ----- (.jvm)?.log$
must not have any other “.” characters -- [^\.]*

Please check - 

  ^(jacket.)?[^\.]*-(.jvm)?.log$
0 Karma
Reply

pimco_rgoyal
Observer
‎10-01-2017 10:28 PM

Does not help resolve. Suspect this is some other issue and not something related to regex.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-01-2017 10:42 PM

please check if its working..
^(jacket.)?log$

0 Karma
Reply

DalJeanis
Legend
‎10-01-2017 09:14 PM

First, you need to escape the periods, because in a regex, . means (roughly) "anything".

Second, you need to have a repeater on the character classes on either side of the hyphen, to allow more than one non-period character.

Third, we're adding hyphen to the list of things the first character class can't be, so that the system won't backtrack past the first hyphen. For the second one, we're NOT adding it, because we don't care if it's a hyphen or not.

This should be pretty efficient overall, finding matching patterns with only a single fail at each spot, and failing non-matching patterns completely at the first period with at most three retest steps.

Try... 

 ^(jacket.)?[^-\.]*-[^\.]*(.jvm)?.log$
0 Karma
Reply

pimco_rgoyal
Observer
‎10-01-2017 09:55 PM

Does not help. Still not picking up logs as expected. What is strange is that my configuration is working fine as expected in Dev instance of our Splunk. I checked the props.conf to see if any diff that could result in this but found nothing.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...