Documentation > Splunk > Admin Manual > Specify input paths with wildcards

Admin Manual

 


Welcome
What to do first
Start Splunk
Meet Splunk Web and Splunk Apps
Before you configure
Add data and configure inputs
Indexing and event processing
Timestamps
Add and manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Set up forwarding and receiving
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

Specify input paths with wildcards

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Specify input paths with wildcards

A wildcard is a character that you can substitute for one or more unspecified characters when searching text or selecting multiple files or directories. In Splunk, you can use wildcards to specify your input path for monitored input; use ... for paths and * for files.

Wildcard Description Regex equivalent Example(s)
... The ellipsis wildcard recurses through directories and subdirectories to match. [^/]* /foo/.../bar matches the files /foo/bar, /foo/1/bar, /foo/1/2/bar, etc.

Note: This only works if bar is a file.

* The asterisk wildcard matches anything in that specific directory path segment.

Note: It cannot be used inside a directory path; must be used in the last segment of the path.

.* /foo/*.log matches all files with the .log extension, such as /foo/bar.log. It does not match /foo/bar.txt or /foo/bar/test.log.
. \.

For more specific matches, combine the ... and * wildcards. For example, /foo/.../bar/* matches any file in the /bar directory within the specified path.

Input examples

To load all files in /apache/foo/logs or /apache/bar/logs, etc. 

[monitor:///apache/.../logs/*]

To load any file in /apache/ that ends in .log. 

[monitor:///apache/*.log]

Wildcards and whitelisting

Specifying wildcards results in an implicit _whitelist created for that stanza. The longest fully qualified path is used as the monitor stanza, and the wildcards are translated into regular expressions, as described in the table above.

Note: In Windows, _whitelist and _blacklist rules do not support regexes that include blackslashes; you must use two backslashes \\ to escape wildcards.

Additionally, the converted expression is anchored to the right end of the file path, so that the entire path must be matched.

For example, if you specify 

[monitor:///foo/bar*.log]

Splunk translates this into 

[monitor:///foo/]
_whitelist = bar[^/]*\.log$

As a consequence, you can't have multiple stanzas with wildcards for files in the same directory. If you have multiple inputs that only disambiguate after a wildcard, they will collide.

Also, you cannot use a _whitelist declaration in conjunction with wildcards.

For example: 

[monitor:///foo/bar_baz*]
[monitor:///foo/bar_qux*]

This results in overlapping stanzas indexing the directory /foo/. Splunk takes the first one, so only files starting with /foo/bar_baz will be indexed. To include both sources, manually specify a _whitelist using regular expression syntax for "or": 

[monitor:///foo]
_whitelist = (bar_baz[^/]*|bar_qux[^/]*)$

Note: To set any additional attributes (such as sourcetype) for multiple whitelisted/blacklisted inputs that may have different attributes, use props.conf.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.1/Admin/Specifyinputpathswithwildcards"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!