Getting Data In

Can I use both the whitelist AND blacklist for the same monitoring stanza in the inputs.conf?



Can I use both whitelist AND blacklist for the same monitoring stanza in the inputs.conf? Like below:

whitelist = disp
blacklist = [ICDicd]\d{6,}\.trc|_alert_|\.\d+_\w+\.trc|sqltrace||rtedump|available\.log$|nameserver_history\.trc$|statements|crashdump|table_consistency_check|\.(?i:gz|json|old|py|tar|txt|xml|zip|jexlog|dot|tpt|cpt)$

Could you please advise?

Kind Regards,


0 Karma


@damucka Yes,both whitelist and blacklist can be used in same monitoring stanza

0 Karma


Hello @damucka,

You can use both whitelist and blacklist in the same monitor stanza.

The documentation on inputs.conf even specifies the case when whitelist and blacklist match the same file:

If a file matches the regexes in both the blacklist and whitelist settings,
the file is NOT monitored. Blacklists take precedence over whitelists.

I also noticed that you wrote "...|sqltrace||rtedump|...".
Shouldn't it be "...|sqltrace|rtedump|..."?

EDIT: Have a look at Whitelist or blacklist specific incoming data:

When you define a whitelist, Splunk Enterprise only indexes the files you specify. When you define a blacklist, the software ignores the specified files and processes all other files.


It is not necessary to define both a whitelist and a blacklist in a stanza. They are independent settings. If you do define both and a file matches both, Splunk Enterprise does not index that file as blacklist overrides whitelist.

So I suggest to use either whitelist (only index specific files) or blacklist (ignore specific files). I don't see any reason for using both.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!