product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to specify files to include/exclude using regular expressions
- release date
- 2017-02-27
- last updated
- 2023-12-01
- version
- Splunk Enterprise 9.0.3
- Overview
- This section describes how to specify files to be included/excluded using regular expressions. If you want to import into splunk/exclude files from being imported, you can specify the files to be imported using regular expressions by setting whitelist/blacklist in inputs.conf.
- Reference information
-
- https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Whitelistorblacklistspecificincomingdata
- https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Specifyinputpathswithwildcards
- https://docs.splunk.com/Documentation/Splunk/9.0.3/Admin/Inputsconf
- https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Monitorfilesanddirectories
- content
-
If you want to import/exclude multiple files under a certain directory into splunk, you can specify the files to be imported using regular expressions by setting the whitelist/blacklist in inputs.conf.
*If blacklist and whitelist are used together, the blacklist setting will be applied with priority.
setting[monitor://<monitor directory path>]
whitelist = <regular expression specifying files to include>
blacklist = <Regular expression specifying files to exclude from importing>Setting example 1)When importing only files ending in ".log" among the files under the /mnt/logs directory
$SPLUNK_HOME/etc/system/local/inputs.conf
--------
[monitor:///mnt/logs]
whitelist = \.log$
--------*$SPLUNK_HOME is the installation directory. By default it is as follows.
Linux :
Splunk Enterprise : /opt/splunk
Windows :
Splunk Enterprise : C:\Program Files\SplunkSetting example 2)When excluding only files with ".txt" at the end of the file name from the files under the /mnt/logs directory
$SPLUNK_HOME/etc/system/local/inputs.conf
--------
[monitor:///mnt/logs]
blacklist = \.txt$
--------Also, when specifying multiple files/directories to be monitored, use wildcards "*" and "...".
Any number of strings can be specified by using the wildcard "*".
Any subdirectory can be monitored by using the wildcard "...".
Setting example 3)When importing the following files under the /DATA/test directory
監視対象ファイル:
/DATA/test/EVT_file_a.log1
/DATA/test/TXT_file_b.log2$SPLUNK_HOME/etc/system/local/inputs.conf
---
[monitor:///DATA/test/*_file_*.log*]
---Setting example 4)When importing any ".log" file under /DATA/
監視対象ファイル:
/DATA/test/EVT_file_a.log1
/DATA/test/TXT_file_b.log2
/DATA/test/sample/text.log3$SPLUNK_HOME/etc/system/local/inputs.conf
---
[monitor:///DATA/.../*.log*]
---Please refer to the reference information for wildcard specifications and details of inputs.conf.
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30
