Whitelist or blacklist specific incoming data
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Whitelist or blacklist specific incoming data
Use whitelist and blacklist rules to explicitly tell Splunk which files to consume when monitoring directories. When you define a whitelist, Splunk indexes ONLY the files in that list. Alternately, when you define a blacklist, Splunk ignores the files in that list and consumes everything else. You don't have to define both a whitelist and a blacklist, they are independent settings. If you happen to have both, and a file that matches both of them, that file WILL NOT be indexed, for example _blacklist will override _whitelist.
Note: If you define an input using ... or * wildcards, that will create an implicit whitelist. Further '_whitelist' settings will be ignored.
Whitelist and blacklist rules use regular expression syntax to define the match on the file name/path. Also, your rules must be contained within a configuration stanza, for example [monitor://<path>]; those outside a stanza (global entries) are ignored.
Instead of whitelisting or blacklisting your data inputs, you can filter specific events and send them to different queues or indexes. Read more about filtering and routing events to different queues and filtering and routing events to alternate indexes. You can also use the crawl feature to predefine files you want Splunk to index or not index automatically when they are added to your filesystem.
Define whitelist and blacklist entries with exact regex syntax; the "..." wildcard is not supported.
Whitelist (allow) files
To define the files you want Splunk to exclusively index, add the following line to your monitor stanza in the /local/inputs.conf file for the App this input was defined in:
_whitelist = $YOUR_CUSTOM_REGEX
For example, if you want Splunk to monitor only files with the .log extension:
[monitor:///mnt/logs]
_whitelist = \.log$
You can whitelist multiple files in one line, using the "|" (OR) operator. For example, to whitelist filenames that contain query.log OR my.log:
_whitelist = query\.log$|my\.log$
Or, to whitelist exact matches:
_whitelist = /query\.log$|/my\.log$
Note: The "$" anchors the regex to the end of the line. There is no space before or after the "|" operator.
Blacklist (ignore) files
To define the files you want Splunk to exclude from indexing, add the following line to your monitor stanza in the /local/inputs.conf file for the App this input was defined in:
_blacklist = $YOUR_CUSTOM_REGEX
Important: If you create a _blacklist line for each file you want to ignore, Splunk activates only the last filter.
If you want Splunk to ignore and not monitor only files with the .txt extension:
[monitor:///mnt/logs]
_blacklist = \.(txt)$
If you want Splunk to ignore and not monitor all files with either the .txt extension OR the .gz extension (note that you use the "|" for this):
[monitor:///mnt/logs]
_blacklist = \.(txt|gz)$
If you want Splunk to ignore entire directories beneath a monitor input refer to this example:
[monitor:///mnt/logs]
_blacklist = (archive|historical|\.bak$)
The above example tells Splunk to ignore all files under /mnt/logs/ within the archive directory, within historical directory and to ignore all files ending in *.bak.
If you want Splunk to ignore files that contain a specific string you could do something like this:
[monitor:///mnt/logs] _blacklist = 2009022[89]file\.txt$
The above example will ignore the webserver20090228file.txt and webserver20090229file.txt files under /mnt/logs/.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.