• How Splunk Works
  • Overview of Splunk
    • Configuration options
    • Installation and upgrade
    • Data inputs
    • Indexing
    • Fields
    • Search
    • Security
    • Data management
    • Deployment server
    • Performance tuning
    • Configuration files
    • Applications
    • Customization
    • Troubleshooting
• Getting Started
  • Start Splunk
    • Before you start
    • Start Splunk on non-Windows platforms
    • Start Splunk on Windows
    • Load Splunk Web in your browser
  • Administration basics
    • Add Splunk to your shell path
    • Splunk's CLI
    • Start/stop Splunk, check status
    • Help
  • Change defaults
    • Changing the admin default password
    • Changing network ports
    • Changing the default Splunk server name
    • Changing the datastore location
    • Set minimum free disk space
  • Find and index data
    • Add Data
    • Monitor a file
    • Crawl for inputs
  • Add more users
    • Splunk local users
  • Start searching
• Data Inputs
  • How input configuration works
    • Files and directories
    • Network ports
    • Scripted inputs
    • Indexing properties
  • Configure inputs via Splunk Web
    • Configuration
  • Configure inputs via the CLI
    • Data input commands
    • Data input types
  • Configure inputs via inputs.conf
    • Configuration
    • Global settings
    • Input types
    • Examples
  • Configure inputs for Windows
    • Configure indexing for Windows event logs
    • Configure Windows registry monitoring input
  • WMI input
    • Security and remote access considerations
    • Configure WMI input
    • Source and source type for WMI data
  • Windows registry input
    • How it works
    • Get a baseline snapshot
    • What to consider
    • Configure Windows registry input
  • Configure crawl
    • Configuration
    • Example
  • Scripted inputs
    • Configuration
    • Example
  • Configure whitelist and blacklist rules
    • Whitelist (allow) files
    • Blacklist (ignore) files
    • Verify your lists
  • Log file rotation
    • How log rotation works
  • Strip syslog headers before processing
    • Configuration
    • Example
  • Determine what files Splunk is monitoring
    • Run listtails
  • Index SNMP events with Splunk
  • log4j
• Data Distribution
  • How data distribution works
    • Forwarding
    • Routing
    • Cloning
    • Data balancing
    • Target groups
    • Security
    • Send to 3rd party systems
    • Distributed search
    • Configuration files for data distribution
  • Enable forwarding and receiving
    • Receiving
    • Forwarding
    • Lightweight forwarding
  • Configure target groups in outputs.conf
    • Configuration
    • Example
  • Set up routing
    • Configuration
    • Basic example
    • Advanced example
  • Filtering and routing
    • Configuration
    • Example
  • Route specific events to an alternate index
    • Configuration
    • Example
  • Set up SSL
    • Forwarder
    • Receiver
  • Enable cloning
  • Set up data balancing
    • Configuration
    • Example
  • Route data to third-party systems
    • Configuration
    • Example
• Indexes
  • How indexing works
    • How events work
    • How segmentation works
  • Index multi-line events
    • Configuration
    • Examples
  • Configure segmentation
    • Splunk Web segmentation
  • Configure custom segmentation for a host, source, or source type
    • via props.conf
    • Example
  • Mask sensitive data in an event
    • Configuration
  • Configure character set encoding
    • Supported character sets
    • Manually specify a character set
    • Automatically specify a character set
    • If Splunk doesn't recognize a character set
  • Dynamic metadata assignment
    • Configuration
    • Set values with a script
• Timestamps
  • How timestamp extraction works
    • Precedence rules for timestamp assignment
    • Configure timestamps
  • Configure timestamp extraction
    • Configure timestamp extraction in props.conf
    • Enhanced strptime() support
    • Examples
  • Configure timezone offsets
    • Configure timezone offsets in props.conf
    • zoneinfo (TZ) database
    • Configure timezone offsets for Splunk versions before 3.2
  • Configure European date formats
    • Configure European date format in literals.conf
    • Use the timeformat modifier
  • Configure positional timestamp extraction
    • Configure positional timestamp extraction in props.conf
  • Tune timestamp extraction for better indexing performance
    • Adjust timestamp lookahead
    • Turn off the timestamp processor
  • Train Splunk to recognize a timestamp
    • Steps to configure timestamps with train dates
    • Run the train dates command
    • Create a custom datetime.xml
    • Edit your local props.conf
• Fields
  • How fields work
    • Indexed vs. extracted fields
    • Configure fields
    • Disable automatically extracted fields
    • Configuration files for fields
  • Create indexed fields via configuration files
    • Configuration
    • Example
  • Create extracted fields via configuration files
    • Configuration
    • Example
    • Extract fields from multi-line events
  • Create extracted fields via Splunk Web
    • Configuration
  • Field actions
    • Configuration
    • Example
  • Configure fields.conf
    • Configuration
  • Configure multi-value fields
    • Configure multi-value fields via fields.conf
    • Example
  • Configure tags
    • Configure tags vis tags.conf
    • Examples
  • Automatic header-based field extraction
    • How automatic header-based field extraction works
    • Configure automatic header-based field extraction
    • Note about search and header-based field extraction
    • Examples
• Hosts
  • How host works
    • How host is assigned
    • Host tagging
    • Configuration files for host
  • Set default host for a Splunk server
    • via Splunk Web
    • via configuration files
  • Define host assignment for an input
    • Statically
    • Dynamically
  • Tag hosts
    • via Splunk Web
    • Host tags vs host names
  • Extract host per event
    • Configuration
    • Example
• Source Types
  • How source types work
    • Source vs source type
    • How Splunk can set sourcetype field values
    • How Splunk applies source type values (precedence)
    • Configuration files for source types
  • Rule-based association of source types
    • Configuration
    • Examples
  • Set source type for an input
    • via Splunk Web
    • via configuration files
  • Set source type for a source
    • via configuration files
  • Train Splunk to recognize a source type
    • via the CLI
  • Source type settings in props.conf
  • Configure a source type alias
• Event Types
  • How event types work
    • Events versus event types
    • Event type classification
    • Event type discovery
    • Create new event types
    • Event type tags
    • Configuration files for event types
  • Save event types via Splunk Web
    • Configuration
  • Configure eventtypes.conf
    • Configuration
    • Example
    • Disable event types
  • Tag event types
    • Configuration
  • Event type discovery
    • Configure event types
  • Event type templates
    • Configuration
    • Example
  • Dynamic event rendering
    • How dynamic event rendering works
    • Configure dynamic event rendering
    • Example
• Transaction Types
  • How transaction types work
    • Define transactions
    • Sample use cases
  • Transaction types via configuration files
    • Configuration
    • Example
  • Transaction search
    • Transactions and macro search
• Search
  • How search works
    • Saved searches
    • Alerting
    • Live tail
    • Summary indexing
  • Set up saved searches
    • via Splunk Web
  • Set up saved searches via savedsearches.conf
    • Configuration
    • Example
  • Set up alerts via Splunk Web
    • Set up an alert
    • Specify which fields to show
  • Set up alerts via savedsearches.conf
    • alerting options
    • display options
    • Script options
    • Example
  • Customize alert options
    • Email options
    • Additional alert customizations
  • Create a form search
    • Form searches with fields
    • Form searches with predefined values
    • Share your form search
  • Macro searches
    • Configure a macro search
  • Configure summary indexing
    • Summary indexing and license volume
    • Manually configure summary indexing
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the Splunk CLI
    • Current limitations
  • Send syslog events
    • Configuration
    • Example
  • Send SNMP traps
    • Configuration
    • Configure your alert to call a shell script
• Distributed Search
  • How distributed search works
    • Known issues with distributed search
  • Enable distributed search via Splunk Web
  • Enable distributed search via the CLI
    • Configuration
  • Configure distributed search via distsearch.conf
    • Configuration
    • Example
  • Exclude specific Splunk servers from distributed searches
• Security
  • Security options
    • Authentication
    • Audit
  • Enable HTTPS
    • Configuration
    • Certificates
  • SSL
    • Configuration
  • Configure roles
    • Configuration
    • Example
  • Set up LDAP
    • Configure LDAP
    • Example
    • Known issues with LDAP
  • Scripted authentication
    • Known issues with scripted auth
    • Configuration
    • Script commands
  • File system change monitor
    • How the file system change monitor works
    • Configure the file system change monitor
  • Audit events
    • Audit event composition
    • Audit event generation
    • Audit event storage
    • Audit event processing
    • Search for audit events
  • Audit event signing
    • How audit event signing works
    • Configure audit event signing
  • Event hashing
    • How event hashing works
    • Event hashing in search results
    • Configure custom decorations for Splunk Web
    • Configure event hashing
    • Configure filtering
  • IT data signing
    • How IT data signatures work
    • Configure IT data signing
    • View the integrity of IT data
    • Performance implications
  • Archive signing
    • How archive signing works
    • Verify archived data signatures
    • Configure coldToFrozen scripts
    • Sign or verify your data slices
• Data Management
  • How data management works
    • Data management
    • Configuration files for index management
  • Create an index
    • via Splunk Web
    • via Splunk's CLI
    • via indexes.conf
    • Delete an index
  • Remove (delete) data
    • Remove event data from an index
    • Remove global data
    • Remove user data
    • Remove all data
    • Remove events from search results
  • Move an index
    • Configuration
  • Set a retirement and archiving policy
    • Remove files beyond a certain size
    • Remove files beyond a certain age
  • Automate archiving
    • Use Splunk's index aging policy to archive
  • Export event data
    • via the CLI
    • via Splunk Web
  • Disk usage
    • Set minimum free disk space
    • Set database size
  • Use separate partitions for Splunk's datastore
    • Set up separate partitions
  • Use WORM (Write Once Read Many) volumes for Splunk's datastore
    • Configuration
• Deployment Server
  • How the deployment server works
    • Communication between deployment server and client
    • Configuration files for deployment server
  • Configure a Splunk Deployment Server
    • Configuration
    • Example
  • Configure server classes
    • Configuration
    • Example
  • Configure deployment clients
    • Enable clients via the CLI
    • Enable clients via deployment.conf
    • Example
  • Sync the server and client
    • Configuration changes
• Performance Tuning
  • Performance tuning Splunk
    • Hardware considerations
    • Increase indexing performance
    • Increase search speed
    • Improve storage efficiency
    • Reduce the CPU and memory footprint
    • Utilize multiple CPUs
    • 64-bit operating systems
  • Indexing performance
    • Negative impact on indexing performance
    • Processors
    • indexes.conf
    • props.conf
    • segmenters.conf
  • Search performance
    • indexes.conf
    • props.conf
    • web.conf
    • fields.conf
    • Configure Splunk Web
  • Storage efficiency
    • Reduce index density
    • Tuning inputs.conf
    • Tuning props.conf
    • Tuning segmenters.conf
  • CPU and memory footprint
    • Improve CPU usage
    • Improve memory usage
  • Multi-CPU servers
    • indexes.conf
  • 64-bit operating systems
    • indexes.conf
  • Splunk backup options
    • Back up configurations
    • Back up your entire installation
  • Restore archived data
    • Restore with resurrect
    • Restore a copied index archive
• Configuration Files
  • How do configuration files work?
    • Configuration file directory structure
    • Configuration file precedence
  • Configure application directories
    • Make an application directory
    • Best practice
  • Configuration file list
• Applications
  • About applications
    • What are applications?
    • Where do they fit into Splunk?
    • Where can you find them?
    • How do you install them?
  • About Splunk's application manager
    • View and manage applications
    • Browse SplunkBase
  • Install Splunk applications
    • via Splunk's App Manager
    • after download from SplunkBase
    • on an isolated network or machine
  • Configure the application
    • Customize an application's event types
    • Customize an application's fields
    • Customize an application's inputs
    • Customize an application's saved searches and alerts
    • Customize an application's reports
• Reference
  • Splunk log files
    • Internal logs
    • debug
    • log.cfg
  • Work with metrics.log
    • Use metrics.log to troubleshoot issues with data inputs
  • Pre-trained source types
    • Automatically recognized source types
    • Pre-trained source types
  • alert_actions.conf
    • alert_actions.conf.spec
    • alert_actions.conf.example
  • app.conf
    • app.conf.spec
    • app.conf.example
  • audit.conf
    • audit.conf.spec
    • audit.conf.example
  • authentication.conf
    • authentication.conf.spec
    • authentication.conf.example
  • authorize.conf
    • authorize.conf.spec
    • authorize.conf.example
  • commands.conf
    • commands.conf.spec
    • commands.conf.example
  • crawl.conf
    • crawl.conf.example
    • crawl.conf.spec
  • decorations.conf
    • decorations.conf.spec
    • decorations.conf.example
  • deployment.conf
    • deployment.conf.spec
    • deployment.conf.example
  • distsearch.conf
    • distsearch.conf.spec
    • distsearch.conf.example
  • eventdiscoverer.conf
    • eventdiscoverer.conf.spec
    • eventdiscoverer.conf.example
  • eventtypes.conf
    • eventtypes.conf.spec
    • eventtypes.conf.example
  • field_actions.conf
    • field_actions.conf.spec
    • field_actions.conf.example
  • fields.conf
    • fields.conf.spec
    • fields.conf.example
  • indexes.conf
    • indexes.conf.spec
    • indexes.conf.example
  • inputs.conf
    • inputs.conf.spec
    • inputs.conf.example
  • limits.conf
    • limits.conf.spec
    • limits.conf.example
  • literals.conf
    • literals.conf.example
  • multikv.conf
    • multikv.conf.spec
    • multikv.conf.example
  • outputs.conf
    • outputs.conf.spec
    • outputs.conf.example
  • prefs.conf
    • prefs.conf.spec
    • prefs.conf.example
  • props.conf
    • props.conf.example
    • props.conf.spec
  • props.conf (cont)
    • props.conf.spec, continued
  • regmon-filters.conf
    • regmon-filters.conf.spec
    • regmon-filters.conf.example
  • restmap.conf
    • restmap.conf.example
    • restmap.conf.spec
  • savedsearches.conf
    • savedsearches.conf.example
    • savedsearches.conf.spec
  • segmenters.conf
    • segmenters.conf.example
    • segmenters.conf.spec
  • server.conf
    • server.conf.example
    • server.conf.spec
  • source-classifier.conf
    • source-classifier.conf.example
    • source-classifier.conf.spec
  • sourcetypes.conf
    • sourcetypes.conf.example
    • sourcetypes.conf.spec
  • streams.conf
    • streams.conf.example
    • streams.conf.spec
  • strings.conf
    • strings.conf.example
    • strings.conf.spec
  • sysmon.conf
    • sysmon.conf.example
    • sysmon.conf.spec
  • tags.conf
    • tags.conf.spec
    • tags.conf.spec
  • transactiontypes.conf
    • transactiontypes.conf.example
    • transactiontypes.conf.spec
  • transforms.conf
    • transforms.conf.example
    • transforms.conf.spec
  • user-seed.conf
    • user-seed.conf.example
    • user-seed.conf.spec
  • web.conf
    • web.conf.example
    • web.conf.spec
  • wmi.conf
    • wmi.conf.example
    • web.conf.spec
• Troubleshooting
  • Contact Support
    • infoGather
    • Log levels and starting in debug mode
    • Debug Splunk Web
    • Core Files
    • LDAP configurations
  • Splunkd is down
    • Splunkd may need a few more seconds to come up
    • Your license file contains line-breaks or other hidden characters
  • License issues
    • Cannot login
    • metrics.log
    • License violation warning
    • Advanced license troubleshooting
    • I installed my license in a Preview release and now it doesn't work!
  • Anonymize data samples
    • Simple method
    • Advanced method
  • Unable to get a properly formatted response from the server
  • Command line tools
    • btool
    • classify
    • exporttool
    • gzdumper
    • listtails
    • locktest
    • locktool
    • parsetest
    • pcregextest
    • regextest
    • searchtest
    • signtool
    • tsidxprobe

Configure whitelist and blacklist rules

When specifying inputs to monitor in inputs.conf, you can use whitelist and blacklist rules to explicitly tell Splunk to consume ONLY certain files or consume everything EXCEPT certain files. When you define a whitelist, Splunk indexes ONLY the files in that list. Alternately, when you define a blacklist, Splunk ignores the files in that list and consumes everything else. These settings are independent of each other.

Whitelist and blacklist rules use regular expression syntax to define the match on the file name. Also, your rules must be contained within a configuration stanza, for example [monitor://<path>]); those outside a stanza (global entries) are ignored.

Important: Define whitelist and blacklist entries with exact regex syntax; the "..." wildcard is not supported.

Whitelist (allow) files

To define the files you want Splunk to exclusively index, add the following line to your monitor stanza in $SPLUNK_HOME/etc/system/local/inputs.conf:

_whitelist = $YOUR_CUSTOM_REGEX

For example, if you want Splunk to monitor only files with the .log extension:

[monitor:///mnt/logs]
    _whitelist = .*\.log

Blacklist (ignore) files

To define the files you want Splunk to exclude from indexing, add the following line to your monitor stanza in $SPLUNK_HOME/etc/system/local/inputs.conf:

_blacklist = $YOUR_CUSTOM_REGEX

For example, if you want Splunk to ignore and not monitor only files with the .txt extension:

[monitor:///mnt/logs]
    _blacklist = .*\.txt

If you want Splunk to ignore and not monitor all files with either the .txt extension or the .gz extension:

[monitor:///mnt/logs]
    _blacklist = \.(txt|gz)$

Verify your lists

To verify that your whitelist and blacklist rules are configured properly, run the listtails utility found in your $SPLUNK_HOME/bin directory. listtails reads in the configuration of inputs.conf in all application directories, scans the directories and shows you the exact list of files that Splunk will monitor when you restart.

Note: The listtails utility requires you to first run the command source setSplunkEnv.