Splunk® Enterprise

Getting Data In

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Include or exclude specific incoming data

You can use allow list and deny list rules to determine which files that the Splunk platform consumes or excludes when you monitor a directory or set of directories. You can also apply these settings to batch type monitoring inputs. When you define an allow list, only indexes the files you specify. When you define a deny list, the Splunk platform ignores the specified files and processes all other files. You define these filters in the input stanza in the inputs.conf configuration file. If you want to apply the same filters across all of the forwarders in a Splunk platform deployment, you can set up a deployment server to perform this task. See About deployment server and forwarder management in Updating Splunk Enterprise Instances.

You don't need to define both an allow list and a deny list in a configuration stanza. The settings are independent, but the deny list filter overrides the allow list filter if a file is in both lists. If you define both filters and a file matches them both, does not index that file.

The list rules use the regular expression syntax to define the match on the file name or path. The rules must be contained within a configuration stanza, such as [monitor://<path>]. The Splunk platform ignores filter lists that are not inside a stanza. When you define filter entries, you must use exact regular expression syntax.

Route and filter data

Instead of including or excluding your data inputs, you can filter specific events and send them to different queues or indexes.

Include files

Add the following line to your monitor stanza in the local/inputs.conf file for the app context that you defined the input.

whitelist = <your_custom regex>


For example, to monitor only files with the .log extension, make the following change:

[monitor:///mnt/logs]
    whitelist = \.log$

Include multiple files

You can include multiple files in one line, using the "|" (pipe, or "OR") operator. For example, to include file names that contain query.log OR my.log, add the following line to the inputs.conf file:

whitelist = query\.log$|my\.log$

Or, you can include only files that match exactly. See the following example:

whitelist = /query\.log$|/my\.log$

The dollar symbol ( $ ) anchors the regular expression to the end of the line. There is no space before or after the pipe ( | ) operator.

Exclude files

Add the following line to your monitor stanza in the /local/inputs.conf configuration file for the app context in which you defined the input.

blacklist = <your_custom_regex>

If you create a blacklist entry for each file you want to ignore, activates only the last filter.

Example 1: Exclude only files with a .txt extension

To ignore and not monitor only files with the txt extension, add the following line to the inputs.conf file:

[monitor:///mnt/logs]
    blacklist = \.txt$

Example 2: Exclude files with a .txt or .gz extension

To ignore and not monitor all files with either the .txt extension or the .gz extension, add the following line to the inputs.conf file:

[monitor:///mnt/logs]
    blacklist = \.(?:txt|gz)$

Example 3: Exclude an entire directory

To ignore entire directories beneath a monitor input, add the following line to the inputs.conf file:

[monitor:///mnt/logs]
    blacklist = archive|historical|\.bak$

This example configures to ignore all files under /mnt/logs/ within the archive or historical directories, and all files ending in the *.bak extension.

Example 4: Exclude a file whose name contains a string

To ignore files whose names contain a specific string, add the following line to the inputs.conf file:

[monitor:///mnt/logs]
   blacklist = 2009022[89]file\.txt$

This example ignores the webserver20090228file.txt and webserver20090229file.txt files under /mnt/logs/.

Example 5: Exclude Windows Event Code 4662 events whose Message field contains a specific value

To ignore Windows Event Code 4662 events whose Message field contains events with the value Account Name: "example account", add the following line to the inputs.conf file:

[WinEventLog:Security]
blacklist1 = EventCode = "4662" Message = "Account Name:\s+(example account)"
Last modified on 31 March, 2021
Specify input paths with wildcards   How the Splunk platform handles log file rotation

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0, 8.1.10, 8.1.12, 8.1.14, 8.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters