This is an older post, but we just started using 5000+ Universal Forwarders so this is really relevant to us. After a few months we're really feeling the pain of manual whitelisting. After reading through the documentation and forum posts, here's what I found. You can specify a csv file, or a field in a csv file for the serverclass to read from. Example: whitelist.from_pathname = clientLists/clientList1_whitelist.csv https://docs.splunk.com/Documentation/Splunk/9.0.3/Admin/Serverclassconf whitelist.from_pathname = <pathname>
blacklist.from_pathname = <pathname>
* As as alternative to a series of (whitelist|blacklist).<n>, the <clientName>,
<IP address>, and <hostname> list can be imported from <pathname> that is
either a plain text file or a comma-separated values (CSV) file.
* May be used in conjunction with (whitelist|blacklist).select_field,
(whitelist|blacklist).where_field, and (whitelist|blacklist).where_equals.
* If used by itself, then <pathname> specifies a plain text file where one
<clientName>, <IP address>, or <hostname> is given per line.
* If used in conjunction with select_field, where_field, and where_equals, then
<pathname> specifies a CSV file.
* The <pathname> is relative to $SPLUNK_HOME.
* May also be used in conjunction with (whitelist|blacklist).<n> to specify
additional values, but there is no direct relation between them.
* At most one from_pathname may be given per stanza. There are a few other options with specifying fields in existing CSV's, so I'd recommend taking a look.
... View more