Hello,
Can I use both whitelist AND blacklist for the same monitoring stanza in the inputs.conf? Like below:
[monitor://d:\usr\sap\ISP\D33\work\disp*]
index=mlbso
disabled=false
interval=15
sourcetype=ISP_abaptraces
whitelist = disp
blacklist = [ICDicd]\d{6,}\.trc|_alert_|\.\d+_\w+\.trc|sqltrace||rtedump|available\.log$|nameserver_history\.trc$|statements|crashdump|table_consistency_check|\.(?i:gz|json|old|py|tar|txt|xml|zip|jexlog|dot|tpt|cpt)$
Could you please advise?
Kind Regards,
Kamil
@damucka Yes,both whitelist and blacklist can be used in same monitoring stanza
Hello @damucka,
You can use both whitelist and blacklist in the same monitor stanza.
The documentation on inputs.conf even specifies the case when whitelist and blacklist match the same file:
If a file matches the regexes in both the blacklist and whitelist settings,
the file is NOT monitored. Blacklists take precedence over whitelists.
I also noticed that you wrote "...|sqltrace||rtedump|...".
Shouldn't it be "...|sqltrace|rtedump|..."?
EDIT: Have a look at Whitelist or blacklist specific incoming data:
When you define a whitelist, Splunk Enterprise only indexes the files you specify. When you define a blacklist, the software ignores the specified files and processes all other files.
Also:
It is not necessary to define both a whitelist and a blacklist in a stanza. They are independent settings. If you do define both and a file matches both, Splunk Enterprise does not index that file as blacklist overrides whitelist.
So I suggest to use either whitelist (only index specific files) or blacklist (ignore specific files). I don't see any reason for using both.