Splunk® Enterprise

Getting Data In

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Whitelist- or blacklist-specific incoming data

Use whitelist and blacklist rules to explicitly tell Splunk Enterprise which files to consume when monitoring directories. You can also apply these settings to batch inputs. When you define a whitelist Splunk Enterprise indexes only the files in that list. When you define a blacklist, Splunk Enterprise ignores the files in that list and consumes everything else. Define whitelists and blacklists in the input stanza in inputs.conf.

It is not necessary to define both a whitelist and a blacklist in a stanza. They are independent settings. If you do define both and a file matches both, Splunk Enterprise does not index that file as blacklist overrides whitelist.

Whitelist and blacklist rules use regular expression syntax to define the match on the file name/path. They must be contained within a configuration stanza, for example [monitor://<path>]. Splunk Enterprise ignores whitelists and blacklists outside of stanzas.

To learn more about how to build regular expressions, visit the Regular-expressions.info (http://regular-expressions.info) website.

When you define whitelist and blacklist entries, you must use exact regular expression syntax.

Route and filter data

Instead of whitelisting or blacklisting your data inputs, you can filter specific events and send them to different queues or indexes. You can also use the crawl feature to predefine files you want Splunk to index or not index when they get added to your file system.

Whitelist (allow) files

To define the files you want to exclusively index, add the following line to your monitor stanza in the /local/inputs.conf file for the app this input was defined in:

whitelist = <your_custom regex>

For example, to monitor only files with the .log extension:

[monitor:///mnt/logs]
    whitelist = \.log$

You can whitelist multiple files in one line, using the "|" (OR) operator. For example, to whitelist filenames that contain query.log OR my.log:

whitelist = query\.log$|my\.log$

Or, to whitelist exact matches:

whitelist = /query\.log$|/my\.log$

Note: The "$" anchors the regex to the end of the line. There is no space before or after the "|" operator.

Blacklist (ignore) files

To define the files you want Splunk Enterprise to exclude from indexing, add the following line to your monitor stanza in the /local/inputs.conf file for the app this input was defined in:

blacklist = <your_custom regex>

If you create a blacklist line for each file you want to ignore, Splunk activates only the last filter.

To ignore and not monitor only files with the .txt extension:

[monitor:///mnt/logs]
    blacklist = \.(txt)$

To ignore and not monitor all files with either the .txt extension OR the .gz extension (note that you use the "|" for this):

[monitor:///mnt/logs]
    blacklist = \.(txt|gz)$

To ignore entire directories beneath a monitor input refer to this example:

[monitor:///mnt/logs]
    blacklist = (archive|historical|\.bak$)

This example tells Splunk Enterprise to ignore all files under /mnt/logs/ within the archive or historical directories and all files ending in *.bak.

To ignore files whose names contain a specific string, you can do:

[monitor:///mnt/logs]
   blacklist = 2009022[8|9]file\.txt$

This example ignores the webserver20090228file.txt and webserver20090229file.txt files under /mnt/logs/.

PREVIOUS
Specify input paths with wildcards
  NEXT
How Splunk Enterprise handles log file rotation

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Comments

Jcrews, <br /><br />Whitelist/blacklist operates on the file level, i.e. which files to include/exclude for indexing. What your are referring to is to selectively index events from a file. This can be achieved through a TRANSFORM, and the process is described in the "Route and Filter data" section; <br /><br />http://docs.splunk.com/Documentation/Splunk/6.1.3/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest

Kristian.kolb
September 2, 2014

Outside of blacklist filtering by numerical error code, is it possible to do so by log event type? In this specific instance I need to ignore all the events that aren't warnings and errors. That's all i want to index. Is there a better way?

Jcrews
August 27, 2014

Hi Psgorniak,<br /><br />You would need to apply a transform to the file to remove the contents that you did not want Splunk Enterprise to index. Review the "Anonymize data" topic in this manual for additional information.

Malmoore
April 23, 2014

How do you blacklist certain characters with a log file. I have a file that needs to be monitored but some of the contents within the file need to be on the blacklist. Is it possible?

Psgorniak
February 15, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters