Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Alerting
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: Error when adding new whitelist in inputs.conf
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
azrad
Engager
07-08-2020
06:50 PM
Hi Splunk Community
We have created few whitelist in our inputs.conf file. It was all fine until i try to enter the following:
whitelist10=Type="Information" SourceName="Customer.Service" Message="*Request Info:ContactCustomer - CreateNewContact*"
after restarting my splunk, i get the following:
Invalid key in stanza [WinEventLog://Application] in C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf, line 38: whitelist12 (value: Type="Information" SourceName="Customer.Service" Message="*Request Info:ContactCustomer - CreateNewContact*").
and it gives me the following:
Did you mean 'whitelist'?
Did you mean 'whitelist1'?
Did you mean 'whitelist2'?
Did you mean 'whitelist3'?
Did you mean 'whitelist4'?
Did you mean 'whitelist5'?
Did you mean 'whitelist6'?
Did you mean 'whitelist7'?
Did you mean 'whitelist8'?
Did you mean 'whitelist9'?
Is there a limit to number of whitelist we can create?
Or what is the next correct key to use after whitelist9 ?
thanks!!
Azrad
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
07-09-2020
02:04 AM
Hi,
Yes there is limitation when you specify whitelist/blacklist for Windows Event Montitoring
https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Inputsconf#Windows_Event_Log_Monitor
* Numbered whitelist settings are permitted from 1 to 9, so whitelist1 through
whitelist9 and blacklist1 through blacklist9 are supported.
* If no whitelist or blacklist rules are present, the input reads all events.- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
07-09-2020
02:04 AM
Hi,
Yes there is limitation when you specify whitelist/blacklist for Windows Event Montitoring
https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Inputsconf#Windows_Event_Log_Monitor
* Numbered whitelist settings are permitted from 1 to 9, so whitelist1 through
whitelist9 and blacklist1 through blacklist9 are supported.
* If no whitelist or blacklist rules are present, the input reads all events.- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
azrad
Engager
07-13-2020
03:45 PM
hi @harsmarvania57
Thanks for the answer. We made some changes to our config and combined the whitelist where possible.
Get Updates on the Splunk Community!
Application management with Targeted Application Install for Victoria Experience
Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...
Index This | What goes up and never comes down?
January 2026 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination
The Power of Two: Splunk + Cisco at "Ludicrous Scale"
You know Splunk. You know Cisco. But have you seen ...
