Getting Data In

Unable to use Whitelist and Blacklist in splunk

luv
Explorer

Hi
For whitelist:-
I have following logs under my 😧 directory
D:/logs/abcUSEFUL.log
D:/logs/xyzUSEFUL.log
D:/logs/abcWASTE.log
D:/logs/xyzWASTE.log

I want to forward the log files that contains "USEFUL" in between their names
like from the above files only "abcUSEFUL.log" & "xyzUSEFUL.log" should be able to make their way into the indexer rest should be stopped.
following is the stanza which i am using for my inputs.conf but it doesn't seem to work

[monitor://D:\logs\*.log]
disabled = false
followTail =0
sourcetype = test
whitelist = USEFUL\.log$

For Blacklist:-
Suppose If i want to restrict the files which have "WASTE" in between their name then they should not get forwarded without affecting the forwarding of other files under the same directory.

Any advice?

Thanks 🙂

0 Karma
1 Solution

lukejadamec
Super Champion

Try being less specific with your monitor and then whitlisting and blacklisting the text in the filename:

[monitor://D:\logs]
blacklist=waste
whitelist=useful
disabled = false
followTail =0
sourcetype = test

View solution in original post

0 Karma

lukejadamec
Super Champion

Try being less specific with your monitor and then whitlisting and blacklisting the text in the filename:

[monitor://D:\logs]
blacklist=waste
whitelist=useful
disabled = false
followTail =0
sourcetype = test
0 Karma

lukejadamec
Super Champion

Yes, regex works in whitelists and blacklists.

0 Karma

luv
Explorer

Thanks lukejadamec that worked! 🙂

simple regular expressions would also work in blacklist & whitelist right?

for files "ilol.log" and "ilol2.log" i want both of them to be forwarded means whichever file contains "lol" keyword
But following stanza is not working only 1st one (ilol.log) is getting forwarded not "ilol2.log"

[monitor://D:\logs]
disabled = false
followTail = 0
sourcetype = lol
whitelist = lol*\.log$

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...