Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I use both the whitelist AND blacklist for the same monitoring stanza in the inputs.conf?

damucka
Builder
‎02-19-2019 12:34 AM

Hello,

Can I use both whitelist AND blacklist for the same monitoring stanza in the inputs.conf? Like below:

[monitor://d:\usr\sap\ISP\D33\work\disp*]
index=mlbso
disabled=false
interval=15
sourcetype=ISP_abaptraces
whitelist = disp
blacklist = [ICDicd]\d{6,}\.trc|_alert_|\.\d+_\w+\.trc|sqltrace||rtedump|available\.log$|nameserver_history\.trc$|statements|crashdump|table_consistency_check|\.(?i:gz|json|old|py|tar|txt|xml|zip|jexlog|dot|tpt|cpt)$

Could you please advise?

Kind Regards,

Kamil

0 Karma
Reply

ashajambagi
Communicator
‎02-19-2019 01:52 AM

@damucka Yes,both whitelist and blacklist can be used in same monitoring stanza

0 Karma
Reply

whrg
Motivator
‎02-19-2019 01:40 AM

Hello @damucka,

You can use both whitelist and blacklist in the same monitor stanza.

The documentation on inputs.conf even specifies the case when whitelist and blacklist match the same file:

If a file matches the regexes in both the blacklist and whitelist settings,
the file is NOT monitored. Blacklists take precedence over whitelists.

I also noticed that you wrote "...|sqltrace||rtedump|...".
Shouldn't it be "...|sqltrace|rtedump|..."?

EDIT: Have a look at Whitelist or blacklist specific incoming data:

When you define a whitelist, Splunk Enterprise only indexes the files you specify. When you define a blacklist, the software ignores the specified files and processes all other files.

Also:

It is not necessary to define both a whitelist and a blacklist in a stanza. They are independent settings. If you do define both and a file matches both, Splunk Enterprise does not index that file as blacklist overrides whitelist.

So I suggest to use either whitelist (only index specific files) or blacklist (ignore specific files). I don't see any reason for using both.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...