Solved: inputs.conf configuration help ..

rakesh_498115 · ‎09-10-2012

Hi.

I have source files in the following folder

path : splunkInput/logs/

Files in the path are
Managed1.txt
Managed2.txt
Managed3.txt
Managed4.txt
....
....
....

Managed50.txt

I have 50 Files like this..

Now i have given this configuration in inputs.conf to index only first ten files..ie.Managed1.txt to Managed10.txt.

So i have like this in inputs.conf

inputs.conf

[monitor:///splunkInput/logs/Managed[1-10]{2}.txt]
disable=false
sourcetype=mydata

but this is not working ..can u help the correct regex expression for this sceneraio.

Thanx

kristian_kolb · ‎09-10-2012

I think you'd better work with whitelists/blacklists in this case. I don't think that [monitor] stanza header can make use of full regexes.

[monitor:///splunkInput/logs]
sourcetype = blaha
index = blaha
whitelist = Managed1\d?\.log

Hope this helps,

Kristian

kristian_kolb · ‎09-10-2012

I think you'd better work with whitelists/blacklists in this case. I don't think that [monitor] stanza header can make use of full regexes.

[monitor:///splunkInput/logs]
sourcetype = blaha
index = blaha
whitelist = Managed1\d?\.log

Hope this helps,

Kristian