Forwarder - inputs.conf "merging"

verbal_666 · ‎02-26-2020

Hi guys.
Can you confirm Forwarder will never "merge" theese different inputs, holding same path?

addon: etc/apps/addon1/default/inputs.conf
[monitor:///tmp/]
whitelist=.*\.log$|.*\.txt$
index=blabla
sourcetype=blabla

addon: etc/apps/addon2/default/inputs.conf
[monitor:///tmp/]
whitelist=.*\.json$|.*\.dat$
index=blabla
sourcetype=blabla

... the first inputs from addon1 will be taken in consideration, while the second from addon2 will be rejected (conflict), without merging the whitelist for same original path "conflict"... so i absolutely need to take only 1 addon, holding all?

addon: etc/apps/singleaddon/default/inputs.conf
[monitor:///tmp/]
whitelist=.*\.log$|.*\.txt$|.*\.json$|.*\.dat$
index=blabla
sourcetype=blabla

The singleaddon works, obviously.

pruthvikrishnap · ‎02-26-2020

you can filter at the input layer is desirable to reduce the total
processing load in network transfer and computation on the Splunk platform
nodes that acquire and processing Event Log data.
1) you can use it this way
whitelist1 = | key=regex [key=regex]
whitelist2 = | key=regex [key=regex]
2) use a comma to saperate the next whitelist.
both would do the result

verbal_666 · ‎02-27-2020

Not sure having understood. Can you do an exact example with real inputs as above?

You're saying these inputs will work? "whitelistX=" directive in stanzas works?

 addon: etc/apps/addon1/default/inputs.conf
 [monitor:///tmp/]
 whitelist1=.*\.log$|.*\.txt$
 index=blabla
 sourcetype=blabla

 addon: etc/apps/addon2/default/inputs.conf
 [monitor:///tmp/]
 whitelist2=.*\.json$|.*\.dat$
 index=blabla
 sourcetype=blabla

verbal_666 · ‎02-27-2020

Ok. Taken from documentation,
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
... i missed this directive... need to try.

Event Log filtering

 Filtering at the input layer is desirable to reduce the total
 processing load in network transfer and computation on the Splunk platform
 nodes that acquire and processing Event Log data.

whitelist = <list of eventIDs> | key=regex [key=regex]
blacklist = <list of eventIDs> | key=regex [key=regex]

whitelist1 = <list of eventIDs> | key=regex [key=regex]
whitelist2 = <list of eventIDs> | key=regex [key=regex]
whitelist3 = <list of eventIDs> | key=regex [key=regex]
whitelist4 = <list of eventIDs> | key=regex [key=regex]
whitelist5 = <list of eventIDs> | key=regex [key=regex]
whitelist6 = <list of eventIDs> | key=regex [key=regex]
whitelist7 = <list of eventIDs> | key=regex [key=regex]
whitelist8 = <list of eventIDs> | key=regex [key=regex]
whitelist9 = <list of eventIDs> | key=regex [key=regex]
blacklist1 = <list of eventIDs> | key=regex [key=regex]
blacklist2 = <list of eventIDs> | key=regex [key=regex]
blacklist3 = <list of eventIDs> | key=regex [key=regex]
blacklist4 = <list of eventIDs> | key=regex [key=regex]
blacklist5 = <list of eventIDs> | key=regex [key=regex]
blacklist6 = <list of eventIDs> | key=regex [key=regex]
blacklist7 = <list of eventIDs> | key=regex [key=regex]
blacklist8 = <list of eventIDs> | key=regex [key=regex]
blacklist9 = <list of eventIDs> | key=regex [key=regex]

... clear! Need to try, later. Thanks.

ps. this is documented under "Windows Event Log Monitor" however... not sure will work in a normal log file... i'll try.

Forwarder - inputs.conf "merging"

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023