Splunk.com | SplunkBase | Support

Documentation: 3.0.1

| Print Version Contents

How Splunk Works
- How Splunk Works
Getting Started
- About the getting started section
- Installation
- Administration Basics
- Change defaults
- Start Splunk for the first time
- Find and index data
- Add more users
Configuring a Splunk Deployment
- Choose a Deployment Model
- Decide how Splunk should index your data
- Install Splunk on every host
- Configure the forwarding servers
- Set up the deployment server
  - Configure the deployment server
  - Set up deployment classes
- Start Splunking
Data Inputs
- How input configuration works
  - Data input types
  - Indexing properties
- Configure inputs via SplunkWeb
- Configure inputs via the CLI
- Scripted inputs
  - Configuration
  - Example
- File whitelisting / blacklisting
Hosts
- How host works
- Set default host for a Splunk server
  - via SplunkWeb
  - via configuration files
- Define host assignment for an input
  - Statically
  - Dynamically
- Tag hosts
  - via SplunkWeb
  - Host tags vs host names
- Extract host per event
  - Configuration
  - Example
- Host name configuration examples
  - Setting host through inputs.conf
  - Setting host through transforms.conf and props.conf
Source Types
- How source types work
- Set source type for an input
  - via SplunkWeb
  - via configuration files
- Set a source type for a source
  - via configuration files
- Train Splunk on a sourcetype
  - via the CLI
- Create an alias for a source type
  - via SplunkWeb
Timestamp Recognition
- How Splunk recognizes timestamps
  - Timestamp precedence
  - Configuration files for timestamps
- Configure Splunk to recognize a timestamp
- Train Splunk to recognize timestamps
  - About training
  - via the CLI
- How to configure timezone offsets
- Tune Timestamping
  - Turn off timestamp lookahead
Events
- How events work
- Large events
- Multiline events
  - Configuration
  - Examples
- Mask sensitive data in an event
  - Configuration
Event Types
- How event types work
- Configure auto-discovery
  - Configuration
  - Example
- punct::
- Save event types via SplunkWeb
  - Configuration
  - Example
- Configure eventtypes.conf
- Considerations for event types in distributed environments
Meta Events
- How meta events work
  - Transitive meta events
  - Configuration files for meta events
- Configure meta events
  - Configuration
  - Examples
Fields
- How fields work
- Define additional extracted fields
  - Configuration
  - Example
- Field actions
  - Configuration
Segmentation
- How segmentation works
  - Configuration files for segmentation
Saved Searches and Alerts
- How saved searches work
  - Saved searches
  - Alerting
- Set up saved searches
  - via SplunkWeb
  - via configuration files
- Set up Alerts
- Send SNMP traps
  - Configuration
- Send syslog events
  - Configuration
  - Example
- Considerations for saved searches and alerts in a distributed environment
Authentication
- How authentication works
- SSL
  - Configuration
  - SSL for SplunkWeb
- Set up users
- Set up LDAP
Data Distribution
- How data distribution works
- Enable forwarding and receiving
- Set up routing
  - Configuration
  - Examples
- Route data to third-party systems
  - Configuration
  - Example
- Enable cloning
- Set up SSL
  - Forwarder
  - Receiver
- Set up data balancing
  - Configuration
  - Example
- Filtering and routing
  - Configuration
  - Example
- Filter data before forwarding
- Route specific events to an alternate index
  - Configuration
  - Example
Granular Access Control
- How Granular Access Control works
  - Configuration files for access controls
Distributed Search
- How distributed search works
  - Known issues with distributed search
- Enable distributed search via SplunkWeb
- Enable distributed search via the CLI
  - Configuration
- Configuration files for distributed search
- Users in a distributed search setup
- Exclude specific Splunk servers from distributed searches
Deployment Server
- How the deployment server works
  - Communication between deployment server and client
  - Configuration files for deployment server
- Configure a Splunk Deployment Server
- Configure deployment clients
  - Enable the client and server
  - Sync the server and client
- Configuration changes after initial deployment
- Using Splunk with 3rd Party configuration management systems
Index Management
- How Index Management Works
  - Data management
  - Configuration files for index management
- Disk usage
  - Set minimum free disk space
  - Set database size
- Set retirement policy
  - Remove files beyond a certain size
  - Remove files beyond a certain age
- Automate archiving
  - Use Splunk's index aging policy to archive
- Restoring archived data
  - Restoring a copied index archive
- Configuration files for data policy
- Use separate partitions for Splunk's datastore
  - Set up separate partitions
- Use WORM (Write Once Read Many) volumes for Splunk's datastore
  - Set up a WORM datastore
- Reducing Index Density
- Delete data from the index
  - Delete everything
  - Delete a subset of events
Bundles
- What are Bundles?
- Bundle directory structure
- Bundle precedence
- Bundle best practice
  - Testing bundles
SplunkBase
- Why use SplunkBase?
- Sharing add-ons on SplunkBase
- Finding and downloading add-ons on SplunkBase
  - Implementing add-ons from SplunkBase
- Looking up events on SplunkBase
  - Configuration
- Security and privacy considerations
- Control user access to SplunkBase
Performance Tuning
- Indexing performance
- Search performance
- Storage efficiency
- Network utilization
- CPU and memory footprint
  - Improve CPU usage
  - Improve memory usage
- Multi-CPU servers
  - indexes.conf
- 64-bit operating systems
  - indexes.conf
- Virtual machines
Routine Maintenance
- System backups
  - Backups in 3 Easy Steps
- Monitoring Splunk
  - via SplunkWeb
How-To
- Harden a Splunk server
- Secure network connections
- Restore a failed server
- Add or Remove an index
  - Create an index
  - Delete an index
- Move an index
  - Configuration
- Change data policy to recover space
- Anonymize data samples
  - Simple method
  - Advanced method
- Public server setup
- Determine daily volume
- Set up auto-refresh
- Upgrade your license for more data
- How to use Splunk 2 Nagios
  - What Nagios logs
  - Install the Splunk2Nagios integration
- Restore a blocked license
- Customize the built-in help module
- Configure GUI Timeout
- Configure the Get Started module
- Disable SplunkWeb
  - Edit web.conf
  - Run the disable command
  - Re-enable SplunkWeb
- Place Splunk behind a web proxy
  - Scenario:
  - Solution:
- Configure OPSEC LEA Input
  - Installation
  - Checkpoint Modification
  - Configuration
- Cancel Search
- Reconstitute Logs
  - Export event data
  - CLI search
- Strip syslog headers before processing
- Enable HTTPS
  - configuration
Troubleshooting
- Splunkd is down
- Splunk logfiles
- License issues
- Contact Support
  - Work with Splunk Support
  - Log levels and starting in debug mode
Reference
- Splunk CLI
  - CLI commands
  - auth and uri parameters
  - Note for Mac users
- Pre-trained source types
  - Automatically recognized source types
  - Pre-trained source types
- Configuration file list
- access_controls.conf
  - access_controls.conf.spec
- alert_actions.conf
  - alert_actions.conf.spec
- auth.conf
  - auth.conf.spec
- deployment.conf
  - deployment.conf.spec
- eventdiscoverer.conf
  - eventdiscoverer.conf.spec
- eventtypes.conf
  - eventtypes.conf.spec contents
- field_actions.conf
  - field_actions.conf.spec
- indexes.conf
  - indexes.conf.spec
- inputs.conf
  - inputs.conf.spec
- metaevents.conf
  - metaevents.conf.spec
- outputs.conf
  - outputs.conf.spec
- prefs.conf
  - prefs.conf.spec
- props.conf
  - props.conf.spec
- savedsearches.conf
  - How to read a savedsearches.conf file
  - savedsearches.conf.spec
- segmenters.conf
  - segmenters.conf.spec
- server.conf
  - server.conf.spec
- transforms.conf
  - transforms.conf.spec
- user-seed.conf
  - user-seed.conf.spec
- web.conf
  - web.conf.spec

This page last updated: 10/24/07 10:10am

File whitelisting / blacklisting

You can use inputs.conf to specify files to ignore (blacklist) or only consume (whitelist) for any specific source that you are tailing. The match for blacklist and whitelist uses regular expression syntax on the file name.

Please note: For whitelist and blacklist entries, please use exact regex syntax. The "..." wildcard is not supported. Whitelist and blacklist configurations must be in a configuration stanza, those outside a stanza are ignored (no global entries.)

Configuration

Blacklist (ignore) files

Add the following argument=value to your tail input stanza in $SPLUNK_HOME/etc/bundles/local/inputs.conf:

_blacklist = $YOUR_CUSTOM_REGEX

Whitelist (allow) files

Add the following argument=value to your tail input stanza in $SPLUNK_HOME/etc/bundles/local/inputs.conf

_whitelist = $YOUR_CUSTOM_REGEX

Example

[tail:///mnt/logs]
    _whitelist = .*\.log

This example tells Splunk to tail only files with the .log extension.

[tail:///mnt/logs]
    _blacklist = .*\.txt

This example tells Splunk to ignore all files with the .txt extension.

[tail:///mnt/logs]
    _blacklist = \.(txt|gz)$

This example tells Splunk to ignore all files with either .txt or .gz extension.

Verification tool

To verify that your whitelist and blacklist rules are configured properly you should run the listtails utility found in your $SPLUNK_HOME/bin directory. Without interacting with the server in any way, the utility reads in the configuration of inputs.conf in all bundles, scans your directories and shows you the exact list of files that Splunk will tail when you restart.

Note: The listtails utility requires you to first run the command source setSplunkEnv

Previous: This Page Has No H1 159454 | Next: How host works

Comments

This section could benefit from a few more examples. Perhaps how to filter out subdirectories, ignore case, etc.
Posted by Dave on Nov 29 2007, 1:27pm
_blacklist = .*\.(gz|csv)

This example tells Splunk to ignore all files with the .gz or .csv extension.
Posted by dmourati on Oct 11 2007, 4:38pm

Log in to comment.