<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Forwarder - inputs.conf &amp;quot;merging&amp;quot; in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Forwarder-inputs-conf-quot-merging-quot/m-p/479521#M99829</link>
    <description>&lt;P&gt;Ok. Taken from documentation,&lt;BR /&gt;
&lt;A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf"&gt;https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf&lt;/A&gt;&lt;BR /&gt;
... i missed this directive... need to try.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Event Log filtering

 Filtering at the input layer is desirable to reduce the total
 processing load in network transfer and computation on the Splunk platform
 nodes that acquire and processing Event Log data.

whitelist = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]

whitelist1 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist2 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist3 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist4 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist5 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist6 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist7 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist8 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist9 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist1 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist2 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist3 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist4 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist5 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist6 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist7 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist8 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist9 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;... clear! Need to try, later. Thanks.&lt;/P&gt;

&lt;P&gt;ps. this is documented under "&lt;STRONG&gt;Windows Event Log Monitor&lt;/STRONG&gt;" however... not sure will work in a normal log file... i'll try.&lt;/P&gt;</description>
    <pubDate>Thu, 27 Feb 2020 18:44:49 GMT</pubDate>
    <dc:creator>verbal_666</dc:creator>
    <dc:date>2020-02-27T18:44:49Z</dc:date>
    <item>
      <title>Forwarder - inputs.conf "merging"</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Forwarder-inputs-conf-quot-merging-quot/m-p/479518#M99826</link>
      <description>&lt;P&gt;Hi guys.&lt;BR /&gt;
Can you confirm Forwarder will never "merge" theese different inputs, holding same path?&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;addon: etc/apps/addon1/default/inputs.conf
[monitor:///tmp/]
whitelist=.*\.log$|.*\.txt$
index=blabla
sourcetype=blabla

addon: etc/apps/addon2/default/inputs.conf
[monitor:///tmp/]
whitelist=.*\.json$|.*\.dat$
index=blabla
sourcetype=blabla
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;... the first inputs from addon1 will be taken in consideration, while the second from addon2 will be rejected (conflict), without merging the whitelist for same original path "conflict"... so i absolutely need to take only 1 addon, holding all?&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;addon: etc/apps/singleaddon/default/inputs.conf
[monitor:///tmp/]
whitelist=.*\.log$|.*\.txt$|.*\.json$|.*\.dat$
index=blabla
sourcetype=blabla
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;The singleaddon works, obviously.&lt;/P&gt;</description>
      <pubDate>Wed, 26 Feb 2020 19:23:26 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Forwarder-inputs-conf-quot-merging-quot/m-p/479518#M99826</guid>
      <dc:creator>verbal_666</dc:creator>
      <dc:date>2020-02-26T19:23:26Z</dc:date>
    </item>
    <item>
      <title>Re: Forwarder - inputs.conf "merging"</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Forwarder-inputs-conf-quot-merging-quot/m-p/479519#M99827</link>
      <description>&lt;P&gt;you can filter at the input layer is desirable to reduce the total&lt;BR /&gt;
 processing load in network transfer and computation on the Splunk platform&lt;BR /&gt;
 nodes that acquire and processing Event Log data.&lt;BR /&gt;
1) you can use it this way &lt;BR /&gt;
whitelist1 =  | key=regex [key=regex]&lt;BR /&gt;
whitelist2 =  | key=regex [key=regex]&lt;BR /&gt;
2) use a comma to saperate the next whitelist.&lt;BR /&gt;
both would do the result&lt;/P&gt;</description>
      <pubDate>Thu, 27 Feb 2020 01:34:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Forwarder-inputs-conf-quot-merging-quot/m-p/479519#M99827</guid>
      <dc:creator>pruthvikrishnap</dc:creator>
      <dc:date>2020-02-27T01:34:36Z</dc:date>
    </item>
    <item>
      <title>Re: Forwarder - inputs.conf "merging"</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Forwarder-inputs-conf-quot-merging-quot/m-p/479520#M99828</link>
      <description>&lt;P&gt;Not sure having understood. Can you do an exact example with real inputs as above?&lt;/P&gt;

&lt;P&gt;You're saying these inputs will work? "&lt;EM&gt;whitelistX=&lt;/EM&gt;" directive in stanzas works?&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; addon: etc/apps/addon1/default/inputs.conf
 [monitor:///tmp/]
 whitelist1=.*\.log$|.*\.txt$
 index=blabla
 sourcetype=blabla

 addon: etc/apps/addon2/default/inputs.conf
 [monitor:///tmp/]
 whitelist2=.*\.json$|.*\.dat$
 index=blabla
 sourcetype=blabla
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 27 Feb 2020 18:40:26 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Forwarder-inputs-conf-quot-merging-quot/m-p/479520#M99828</guid>
      <dc:creator>verbal_666</dc:creator>
      <dc:date>2020-02-27T18:40:26Z</dc:date>
    </item>
    <item>
      <title>Re: Forwarder - inputs.conf "merging"</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Forwarder-inputs-conf-quot-merging-quot/m-p/479521#M99829</link>
      <description>&lt;P&gt;Ok. Taken from documentation,&lt;BR /&gt;
&lt;A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf"&gt;https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf&lt;/A&gt;&lt;BR /&gt;
... i missed this directive... need to try.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Event Log filtering

 Filtering at the input layer is desirable to reduce the total
 processing load in network transfer and computation on the Splunk platform
 nodes that acquire and processing Event Log data.

whitelist = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]

whitelist1 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist2 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist3 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist4 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist5 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist6 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist7 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist8 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
whitelist9 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist1 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist2 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist3 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist4 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist5 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist6 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist7 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist8 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
blacklist9 = &amp;lt;list of eventIDs&amp;gt; | key=regex [key=regex]
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;... clear! Need to try, later. Thanks.&lt;/P&gt;

&lt;P&gt;ps. this is documented under "&lt;STRONG&gt;Windows Event Log Monitor&lt;/STRONG&gt;" however... not sure will work in a normal log file... i'll try.&lt;/P&gt;</description>
      <pubDate>Thu, 27 Feb 2020 18:44:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Forwarder-inputs-conf-quot-merging-quot/m-p/479521#M99829</guid>
      <dc:creator>verbal_666</dc:creator>
      <dc:date>2020-02-27T18:44:49Z</dc:date>
    </item>
  </channel>
</rss>

