
Whitelist or blacklist specific incoming data
You can use whitelist and blacklist rules to specify which files to consume or exclude when monitoring directories. You can also apply these settings to batch
inputs. When you define a whitelist, Splunk Enterprise only indexes the files you specify. When you define a blacklist, the software ignores the specified files and processes all other files. You define whitelists and blacklists in the input stanza in inputs.conf
. If you want to apply the same blacklists and whitelists across all your forwarders, you can set up a deployment server.
It is not necessary to define both a whitelist and a blacklist in a stanza. They are independent settings. If you do define both and a file matches both, Splunk Enterprise does not index that file as blacklist
overrides whitelist
.
Whitelist and blacklist rules use regular expression syntax to define the match on the file name/path. They must be contained within a configuration stanza, for example [monitor://<path>]
. Splunk software whitelists and blacklists outside of stanzas. When you define whitelist and blacklist entries, you must use exact regular expression syntax.
To learn more about how to build regular expressions, see Regular-expressions.info (http://regular-expressions.info) website.
Route and filter data
Instead of whitelisting or blacklisting your data inputs, you can filter specific events and send them to different queues or indexes. You can also use the crawl feature to predefine files you want to index or to exclude from indexing when they get added to your file system.
Whitelist (allow) files
- Add the following line to your
monitor
stanza in the/local/inputs.conf
file for the app context that you defined the input.
whitelist = <your_custom regex>
For example, to monitor only files with the
.log
extension:[monitor:///mnt/logs] whitelist = \.log$
Whitelist multiple files
You can whitelist multiple files in one line, using the "|" (OR) operator. For example, to whitelist filenames that contain query.log OR my.log
.
whitelist = query\.log$|my\.log$
Or, you can whitelist an exact match.
whitelist = /query\.log$|/my\.log$
Note: The "$" anchors the regular expression to the end of the line. There is no space before or after the "|" operator.
Blacklist (ignore) files
- Add the following line to your
monitor
stanza in the/local/inputs.conf
file for the app context that you defined the input in.
blacklist = <your_custom_regex>
If you create a blacklist
line for each file you want to ignore, Splunk Enterprise activates only the last filter.
Example: Blacklist only files with a .txt extension
To ignore and not monitor only files with the .txt
extension:
[monitor:///mnt/logs] blacklist = \.txt$
Example 2: Blacklist files with either a .txt or .gz extension
To ignore and not monitor all files with either the .txt
extension OR
the .gz
extension (note that you use the "|" for this):
[monitor:///mnt/logs] blacklist = \.(?:txt|gz)$
Example 3: Blacklist an entire directory
To ignore entire directories beneath a monitor input:
[monitor:///mnt/logs] blacklist = archive|historical|\.bak$
This example tells Splunk Enterprise to ignore all files under /mnt/logs/ within the archive or historical directories and all files ending in *.bak.
Example 4: Blacklist a file whose name contains a string
To ignore files whose names contain a specific string, you can do:
[monitor:///mnt/logs] blacklist = 2009022[89]file\.txt$
This example ignores the webserver20090228file.txt
and webserver20090229file.txt
files under /mnt/logs/
.
PREVIOUS Specify input paths with wildcards |
NEXT How Splunk Enterprise handles log file rotation |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12
Feedback submitted, thanks!