Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I use both the whitelist AND blacklist for the same monitoring stanza in the inputs.conf?

damucka
Builder
‎02-19-2019 12:34 AM

Hello,

Can I use both whitelist AND blacklist for the same monitoring stanza in the inputs.conf? Like below:

[monitor://d:\usr\sap\ISP\D33\work\disp*]
index=mlbso
disabled=false
interval=15
sourcetype=ISP_abaptraces
whitelist = disp
blacklist = [ICDicd]\d{6,}\.trc|_alert_|\.\d+_\w+\.trc|sqltrace||rtedump|available\.log$|nameserver_history\.trc$|statements|crashdump|table_consistency_check|\.(?i:gz|json|old|py|tar|txt|xml|zip|jexlog|dot|tpt|cpt)$

Could you please advise?

Kind Regards,

Kamil

0 Karma
Reply

ashajambagi
Communicator
‎02-19-2019 01:52 AM

@damucka Yes,both whitelist and blacklist can be used in same monitoring stanza

0 Karma
Reply

whrg
Motivator
‎02-19-2019 01:40 AM

Hello @damucka,

You can use both whitelist and blacklist in the same monitor stanza.

The documentation on inputs.conf even specifies the case when whitelist and blacklist match the same file:

If a file matches the regexes in both the blacklist and whitelist settings,
the file is NOT monitored. Blacklists take precedence over whitelists.

I also noticed that you wrote "...|sqltrace||rtedump|...".
Shouldn't it be "...|sqltrace|rtedump|..."?

EDIT: Have a look at Whitelist or blacklist specific incoming data:

When you define a whitelist, Splunk Enterprise only indexes the files you specify. When you define a blacklist, the software ignores the specified files and processes all other files.

Also:

It is not necessary to define both a whitelist and a blacklist in a stanza. They are independent settings. If you do define both and a file matches both, Splunk Enterprise does not index that file as blacklist overrides whitelist.

So I suggest to use either whitelist (only index specific files) or blacklist (ignore specific files). I don't see any reason for using both.

Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top