Specify input paths with wildcards
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Specify input paths with wildcards
This topic is only relevant when using inputs.conf to specify inputs, as described in "Configure with inputs.conf" in this topic.
Important: Input path specifications in inputs.conf don't use regex-compliant expressions but rather Splunk-defined wildcards.
A wildcard is a character that you can substitute for one or more unspecified characters when searching text or selecting multiple files or directories. In Splunk, you can use wildcards to specify your input path for monitored input.
| Wildcard | Description | Regex equivalent | Example(s) |
|---|---|---|---|
...
| The ellipsis wildcard recurses through directories and any number of levels of subdirectories to find matches. | .*
| /foo/.../bar matches the files /foo/bar, /foo/1/bar, /foo/2/bar, /foo/1/2/bar, etc.
Note: Because a single ellipse recurses through all directories and subdirectories, |
*
| The asterisk wildcard matches anything in that specific directory path segment.
Unlike " | [^/]*
| /foo/*/bar matches the files /foo/bar, /foo/1/bar, /foo/2/bar, etc. However, it does not match /foo/1/2/bar.
|
Note: A single dot (.) is not a wildcard, and is the regex equivalent of \..
For more specific matches, combine the ... and * wildcards. For example, /foo/.../bar/* matches any file in the /bar directory within the specified path.
Warning: You cannot use a wildcard at the root level. For example, this does not work:
[monitor://E:\...\foo\*.log]
Input examples
To monitor /apache/foo/logs, /apache/bar/logs, /apache/bar/1/logs, etc.:
[monitor:///apache/.../logs]
To monitor /apache/foo/logs, /apache/bar/logs, etc., but not /apache/bar/1/logs or /apache/bar/2/logs:
[monitor:///apache/*/logs]
To monitor any file directly under /apache/ that ends in .log:
[monitor:///apache/*.log]
To monitor any file under /apache/ (under any level of subdirectory) that ends in .log:
[monitor:///apache/.../*.log]
Wildcards and whitelists
Important: In Splunk, whitelists and blacklists are defined with standard PCRE regex syntax, unlike the file input path syntax described in the previous sections.
When you specify wildcards in a file input path, Splunk creates an implicit whitelist for that stanza. The longest fully qualified path becomes the monitor stanza, and the wildcards are translated into regular expressions, as listed in the table above.
Note: In Windows, whitelist and blacklist rules do not support regexes that include backslashes; you must use two backslashes \\ to escape wildcards.
Additionally, the converted expression is anchored to the right end of the file path, so that the entire path must be matched.
For example, if you specify
[monitor:///foo/bar*.log]
Splunk translates this into
[monitor:///foo/] whitelist = bar[^/]*\.log$
Note: To set any additional attributes (such as sourcetype) for multiple whitelisted/blacklisted inputs that may have different attributes, use props.conf.
For more information on using whitelists with file inputs, see "Whitelist or blacklist specific incoming data."
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.