In case of a conflict between a whitelist and a blacklist input setting, which one is used?
In case of a conflict between a whitelist and a blacklist input setting, which one is used?
In case of a conflict between a whitelist and a blacklist input setting, the blacklist is used. This is because blacklist entries are typically given higher priority to prevent unintended or potentially harmful data from being processed, ensuring more stringent control over what is excluded.
"It is not necessary to define both an allow list and a deny list in a configuration stanza. The settings are independent. If you do define both filters and a file matches them both, Splunk Enterprise does not index that file, as the blacklist filter overrides the whitelist filter." Source: https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/Whitelistorblacklistspecificincomingdata
Blacklist Overides Whitelist
A is correct Data Admin slide 123
A is correct
In case of a conflict the blacklist prevails
A. Blacklist
Blacklist always overrides Whitelist
A. blacklist