Splunk Search

whitelist regex help with multiple strings

joesrepsolc
Communicator

Trying to build a rather simple inputs.conf (or so i thought) to grab two statis named files, and the last file has a date built in, so I want to get them all, and any new ones that get created moving forward. I only need help with the whitelist part of the inputs, but can't seem to figure out the combo to get this to work.

catalina.out
vpAppLogClient.log
localhost_access_log.2019-03-19.txt (this one changes everyday)

[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = /catalina.out$|/vpAppLogClient.log$|?????

Apprecaite the help everyone!!!

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Instead of creating multiple stanza, you can create single monitor input with regex. That regex will capture catalina.out , vpAppLogClient.log and localhost_access_log.YYYY-MM-DD.txt

inputs.conf

[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = (catalina\.out|vpAppLogClient\.log|localhost_access_log\.\d{4}\-\d{2}\-\d{2}\.txt)$

EDIT: Fixed typo

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Instead of creating multiple stanza, you can create single monitor input with regex. That regex will capture catalina.out , vpAppLogClient.log and localhost_access_log.YYYY-MM-DD.txt

inputs.conf

[monitor:///opt/web/tomcatA/logs]
index = web
sourcetype = tomcat_logs
disabled = 0
whitelist = (catalina\.out|vpAppLogClient\.log|localhost_access_log\.\d{4}\-\d{2}\-\d{2}\.txt)$

EDIT: Fixed typo

0 Karma

joesrepsolc
Communicator

Trying this now, but hoping that it works! Reading thru the regex you posted... interesting stuff.

Question: Why do I need the "(" and ")" parenthesis around the statement? I missed that on one of my attempts. I also missed the "$" at the end, but was doing that on the end of each file name. Hmmm. Clearly I don't know regex well enough.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

In regex () is capturing groups but in this monitor stanza there is no difference if we use capturing group or non-capturing group (?:). I have used () because I am using OR | and ending with $ for all 3 files in common. $ is end of line

0 Karma

joesrepsolc
Communicator

Thanks for the quick response. And THIS WORKED. Super cool. Thank you everyone.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Welcome 🙂

0 Karma

whrg
Motivator

Hello @joesrepsolc,

I think it is easier here to create multiple monitor stanzas without the whitelist option:

[monitor:///opt/web/tomcatA/logs/catalina.out]
index = web
...

[monitor:///opt/web/tomcatA/logs/vpAppLogClient.log]
index = web
...

[monitor:///opt/web/tomcatA/logs/localhost_access_log.*.txt]
index = web
...
0 Karma

joesrepsolc
Communicator

I am aware of doing it this way, but it does make the length/size of the inputs.conf file much larger and a little harder to manage. But I do appreciate the response. I really wanted to understand the REGEX component so I can utilize the whitelist function.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...