Forums: SplunkAdministration: _whitelist for a dir and file in same path

I am trying to build a _whitelist for a path and the second to last directory has multiple directories that I would like to use a wild card on as well as a wild card on the file names.
It would look something like this:

/u01/app/oracle/osw/archive/osw*/*.dat

I have been attempting to put the whitelist in the inputs.conf file like this.....without success.

[tail:///u01/app/oracle/osw/archive]
_whitelist = osw*\/*\.dat

Can I use multiple wildcards in the same whitelist, and if so, how?

Regards,

pstein

The whitelist needs to be a regex, and path wildcards are '...'.

I think this is what you are looking for:

[tail:///u01/app/oracle/osw/archive/.../]
_whitelist = osw.*\/*\.dat

ChaChing!
The /.../ path wildcard did the trick.

As always, ARaitz, you are the best!

A little follow-up. Now that I can get the _whitelist to expand and check the file list with ../splunk list tail,
how do I actually get this type of data into Splunk:? Sample below. This is nothing but a simple ps command output to a file which Splunk tails. Do you think the zzz * is causing issues with how Splunk grabs/uses time stamps? I will wait for a reply before opening a ticket possble directions.

pine:/opt/splunk/etc/bundles/local # more /u01/app/oracle/osw/archive/oswps/pine_ps_09.12.08.1400.dat
zzz *Fri Sep 12 14:00:37 CDT 2008
F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD
4 S root 1 0 0 75 0 - 160 schedu Aug08 ? 00:01:00 init [3]
1 S root 2 1 0 -40 - - 0 migrat Aug08 ? 00:00:16 [migration/0]
1 S root 3 1 0 94 19 - 0 ksofti Aug08 ? 00:00:01 [ksoftirqd/0]
1 S root 4 1 0 -40 - - 0 migrat Aug08 ? 00:00:21 [migration/1]
1 S root 5 1 0 94 19 - 0 ksofti Aug08 ? 00:00:01 [ksoftirqd/1]
5 S root 6 1 0 65 -10 - 0 worker Aug08 ? 00:00:00 [events/0]

pstein

aratiz is the best!!!

Paul,

Yeah, you should use TIME_PREFIX in props.conf for the source or sourcetype:

[your_source]
TIME_PREFIX = z{3}\s+\*

I don't know if it matters, but the way time was listed in my example was changed due to this GUI interface interpreting the first (2) asterisk as "bold" characters.
What it should have looked like was: "zzz (followed by a space and (3) asterisks)" Fri Sep 12 14:00:37 CDT 2008

Here is what I have built into my props.conf file that is still failing to index:

1. Adding in line for Oracle Data and the odd timestamp

[source::.../u01/app/oracle/osw/archive/.../*]
TIME_PREFIX = z{3}\s+\*

Would it need to have the three asterisks or can I do a *{3} like you did with the "z"?

When I run the following "splunk list tail" it gives me the following:

pine:/opt/splunk/etc/bundles/local # /opt/splunk/bin/splunk list tail | more
Tailed Directories:
/u01/app/oracle/osw/archive
/u01/app/oracle/osw/archive/oswvmstat/pine_vmstat_09.15.08.1000.dat
/u01/app/oracle/osw/archive/oswvmstat/pine_vmstat_09.15.08.0900.dat

Which tells me it knows where to get the information but still can't index it. I am thinking it has to do with the props.conf file still.
Please advise.

Yes, you will need a {3} behind the asterisk.

Despite my ../bundles/local/props.conf file looking like this:

1. Adding in line for Oracle Data and the odd timestamp

[source::.../u01/app/oracle/osw/archive/.../*]
TIME_PREFIX = z{3}\s+\*{3}

I am not getting any of my ../archive/oswvmstat/blahblah.dat files indexed.

Any more thoughts behind this and how to correct it?