Getting Data In

Can I use both the whitelist AND blacklist for the same monitoring stanza in the inputs.conf?



Can I use both whitelist AND blacklist for the same monitoring stanza in the inputs.conf? Like below:

whitelist = disp
blacklist = [ICDicd]\d{6,}\.trc|_alert_|\.\d+_\w+\.trc|sqltrace||rtedump|available\.log$|nameserver_history\.trc$|statements|crashdump|table_consistency_check|\.(?i:gz|json|old|py|tar|txt|xml|zip|jexlog|dot|tpt|cpt)$

Could you please advise?

Kind Regards,


0 Karma


@damucka Yes,both whitelist and blacklist can be used in same monitoring stanza

0 Karma


Hello @damucka,

You can use both whitelist and blacklist in the same monitor stanza.

The documentation on inputs.conf even specifies the case when whitelist and blacklist match the same file:

If a file matches the regexes in both the blacklist and whitelist settings,
the file is NOT monitored. Blacklists take precedence over whitelists.

I also noticed that you wrote "...|sqltrace||rtedump|...".
Shouldn't it be "...|sqltrace|rtedump|..."?

EDIT: Have a look at Whitelist or blacklist specific incoming data:

When you define a whitelist, Splunk Enterprise only indexes the files you specify. When you define a blacklist, the software ignores the specified files and processes all other files.


It is not necessary to define both a whitelist and a blacklist in a stanza. They are independent settings. If you do define both and a file matches both, Splunk Enterprise does not index that file as blacklist overrides whitelist.

So I suggest to use either whitelist (only index specific files) or blacklist (ignore specific files). I don't see any reason for using both.

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.