Let's say I have the following in my inputs.conf file:
[monitor:///splunk/splink/fish/abc_qa/logs/]
whitelist = def*.log$|ghi*.log$|jkl*.log$|mno*.log$|pqr*.log$
sourcetype = applogs
index = risk
disabled = false
crcSalt=
And the directory contains the following files:
def_QA_BOAT.log
ghi_QA_TROUT.log
pqr_QA_worm_count.log
Why don't any of these match?
I've attempted the above with just the slashes (without the asterisks) and it still doesn't work.
I've attempted the above with just the slashes (without the asterisks) and it still doesn't work.
Maybe its the page stripping the characters but you Are using
pqr*\.log$
with the asterisk (*) and the slash ()?
Tried this also with just a single expression in the following format: abc*.log$. No dice. What am I missing?
If you are only specifying the first few characters of the file name you must have the asterisk to wildcard the rest of the file name. You must also have the slash to escape the dot before the file extension. Have you tried using only one expression without the OR "|" ?
I've attempted the above with just the slashes (without the asterisks) and it still doesn't work.
using asterisk and slash plus '|' between each file name.
try this:
whitelist = def*\.log$|ghi*\.log$|jkl*\.log$|mno*\.log$|pqr*\.log$
It tells me nothing matches 'def*.log|ghi*.log|...'. Wouldn't it come back with '_' in the name?