Topics

| pdf version

How Splunk Works

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Search

Distributed Search

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Configure whitelist and blacklist rules

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6

Configure whitelist and blacklist rules

When specifying inputs to monitor in inputs.conf, you can use whitelist and blacklist rules to explicitly tell Splunk to consume ONLY certain files or consume everything EXCEPT certain files. When you define a whitelist, Splunk indexes ONLY the files in that list. Alternately, when you define a blacklist, Splunk ignores the files in that list and consumes everything else. These settings are independent of each other.


Whitelist and blacklist rules use regular expression syntax to define the match on the file name. Also, your rules must be contained within a configuration stanza, for example [monitor://<path>]); those outside a stanza (global entries) are ignored.


Important: Define whitelist and blacklist entries with exact regex syntax; the "..." wildcard is not supported.


Whitelist (allow) files

To define the files you want Splunk to exclusively index, add the following line to your monitor stanza in $SPLUNK_HOME/etc/system/local/inputs.conf: 


_whitelist = $YOUR_CUSTOM_REGEX

For example, if you want Splunk to monitor only files with the .log extension: 


[monitor:///mnt/logs]
    _whitelist = .*\.log

Blacklist (ignore) files

To define the files you want Splunk to exclude from indexing, add the following line to your monitor stanza in $SPLUNK_HOME/etc/system/local/inputs.conf: 


_blacklist = $YOUR_CUSTOM_REGEX

For example, if you want Splunk to ignore and not monitor only files with the .txt extension: 


[monitor:///mnt/logs]
    _blacklist = .*\.txt

If you want Splunk to ignore and not monitor all files with either the .txt extension or the .gz extension: 


[monitor:///mnt/logs]
    _blacklist = \.(txt|gz)$

Verify your lists

To verify that your whitelist and blacklist rules are configured properly, run the listtails utility found in your $SPLUNK_HOME/bin directory. listtails reads in the configuration of inputs.conf in all bundle directories, scans the directories and shows you the exact list of files that Splunk will tail when you restart.


Note: The listtails utility requires you to first run the command source setSplunkEnv.

Retrieved from "http://www.splunk.com/base/Documentation/3.2/Admin/ConfigureWhitelistAndBlacklistRules"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.