Can I use both the whitelist AND blacklist for the...

damucka · ‎02-19-2019

Hello,

Can I use both whitelist AND blacklist for the same monitoring stanza in the inputs.conf? Like below:

[monitor://d:\usr\sap\ISP\D33\work\disp*]
index=mlbso
disabled=false
interval=15
sourcetype=ISP_abaptraces
whitelist = disp
blacklist = [ICDicd]\d{6,}\.trc|_alert_|\.\d+_\w+\.trc|sqltrace||rtedump|available\.log$|nameserver_history\.trc$|statements|crashdump|table_consistency_check|\.(?i:gz|json|old|py|tar|txt|xml|zip|jexlog|dot|tpt|cpt)$

Could you please advise?

Kind Regards,

Kamil

ashajambagi · ‎02-19-2019

@damucka Yes,both whitelist and blacklist can be used in same monitoring stanza

whrg · ‎02-19-2019

Hello @damucka,

You can use both whitelist and blacklist in the same monitor stanza.

The documentation on inputs.conf even specifies the case when whitelist and blacklist match the same file:

If a file matches the regexes in both the blacklist and whitelist settings,
the file is NOT monitored. Blacklists take precedence over whitelists.

I also noticed that you wrote "...|sqltrace||rtedump|...".
Shouldn't it be "...|sqltrace|rtedump|..."?

EDIT: Have a look at Whitelist or blacklist specific incoming data:

When you define a whitelist, Splunk Enterprise only indexes the files you specify. When you define a blacklist, the software ignores the specified files and processes all other files.

Also:

It is not necessary to define both a whitelist and a blacklist in a stanza. They are independent settings. If you do define both and a file matches both, Splunk Enterprise does not index that file as blacklist overrides whitelist.

So I suggest to use either whitelist (only index specific files) or blacklist (ignore specific files). I don't see any reason for using both.

Can I use both the whitelist AND blacklist for the same monitoring stanza in the inputs.conf?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms