https://community.splunk.com/t5/Splunk-Enterprise/How-to-whitelist-specific-TaskName-in-inputs-conf-in-Splunk/m-p/608263#M13534 <P>If the keyword is not in that list then it cannot be used in a whitelist or blacklist.</P> Thu, 04 Aug 2022 12:10:30 GMT richgalloway 2022-08-04T12:10:30Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-whitelist-specific-TaskName-in-inputs-conf-in-Splunk/m-p/608012#M13515 <P>How will I whitelist specific TaskName in inputs.conf in Splunk forwarder configuration from WinEventLog Task Scheduler/Operational .</P> <P>Pulled data Example:</P> <P>....&lt;Data Name='TaskName'&gt;\Job 1&lt;/Data&gt;.....</P> <P>....&lt;Data Name='TaskName'&gt;\Job 2&lt;/Data&gt;.....</P> <P>....&lt;Data Name='TaskName'&gt;\Other 1&lt;/Data&gt;.....</P> <P>I only need to pull data of Job 1 and Job 2. How can I filter multiple jobs in inputs.conf</P> Wed, 03 Aug 2022 14:46:25 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-whitelist-specific-TaskName-in-inputs-conf-in-Splunk/m-p/608012#M13515 splunker-2021 2022-08-03T14:46:25Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-whitelist-specific-TaskName-in-inputs-conf-in-Splunk/m-p/608105#M13524 <P>Splunk supports whitelisting based on a fixed set of keywords.&nbsp; "Data Name" is not one of them, but Message is.&nbsp; If the TaskName is part of the Message text then perhaps this whitelist will help.</P><LI-CODE lang="markup">whitelist1 = Message=:"TaskName'\&gt;\\Job [12]\&lt;:</LI-CODE> Wed, 03 Aug 2022 14:55:09 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-whitelist-specific-TaskName-in-inputs-conf-in-Splunk/m-p/608105#M13524 richgalloway 2022-08-03T14:55:09Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-whitelist-specific-TaskName-in-inputs-conf-in-Splunk/m-p/608220#M13528 <P>Hi, I appreciate your help, but it still not working on my end <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> I have tried the code but no result in pulling data.</P><P>This is the inputs.conf</P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">[WinEventLog://Microsoft-Windows-TaskScheduler/Operational]<BR />disabled = 0<BR />start_from = oldest<BR />current_only = 1<BR />checkpointInterval = 5<BR />renderXml = true<BR />whitelist1 = Message=:'TaskName'\&gt;\\Service Process\\&lt;:<BR />index = winevents_index</TD></TR></TBODY></TABLE> Thu, 04 Aug 2022 06:45:02 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-whitelist-specific-TaskName-in-inputs-conf-in-Splunk/m-p/608220#M13528 splunker-2021 2022-08-04T06:45:02Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-whitelist-specific-TaskName-in-inputs-conf-in-Splunk/m-p/608232#M13529 <P>I believe&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;that the Task name is not under a Message keyword accepted by the whitelisting. With this, do we have any work around? or once the keyword is not:</P><PRE>Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, User</PRE><P>meaning it will not work at all?&nbsp;&nbsp;</P> Thu, 04 Aug 2022 07:29:10 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-whitelist-specific-TaskName-in-inputs-conf-in-Splunk/m-p/608232#M13529 vin_ven27 2022-08-04T07:29:10Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-whitelist-specific-TaskName-in-inputs-conf-in-Splunk/m-p/608263#M13534 <P>If the keyword is not in that list then it cannot be used in a whitelist or blacklist.</P> Thu, 04 Aug 2022 12:10:30 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-whitelist-specific-TaskName-in-inputs-conf-in-Splunk/m-p/608263#M13534 richgalloway 2022-08-04T12:10:30Z