File whitelisting / blacklisting
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
File whitelisting / blacklisting
You can use inputs.conf to specify files to ignore (blacklist) or only consume (whitelist) for any specific source that you are tailing. The match for blacklist and whitelist uses regular expression syntax on the file name.
Please note: For whitelist and blacklist entries, please use exact regex syntax. The "..." wildcard is not supported. Whitelist and blacklist configurations must be in a configuration stanza, those outside a stanza are ignored (no global entries.)
Configuration
Blacklist (ignore) files
Add the following argument=value to your tail input stanza in $SPLUNK_HOME/etc/bundles/local/inputs.conf:
_blacklist = $YOUR_CUSTOM_REGEX
Whitelist (allow) files
Add the following argument=value to your tail input stanza in $SPLUNK_HOME/etc/bundles/local/inputs.conf
_whitelist = $YOUR_CUSTOM_REGEX
Example
[tail:///mnt/logs]
_whitelist = .*\.log
This example tells Splunk to tail only files with the .log extension.
[tail:///mnt/logs]
_blacklist = .*\.txt
This example tells Splunk to ignore all files with the .txt extension.
[tail:///mnt/logs]
_blacklist = \.(txt|gz)$
This example tells Splunk to ignore all files with either .txt or .gz extension.
Verification tool
To verify that your whitelist and blacklist rules are configured properly you should run the listtails utility found in your $SPLUNK_HOME/bin directory. Without interacting with the server in any way, the utility reads in the configuration of inputs.conf in all bundles, scans your directories and shows you the exact list of files that Splunk will tail when you restart.
Note: The listtails utility requires you to first run the command source setSplunkEnv
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 , 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.