https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/740999#M21796 <P>Tried below regex to blacklist OR ignore 4688 event codes from the *.exe coming from the splunk forwarder path/directory</P><P>But not working, it's considering 4688 from splunk and non-splunk path</P><P>OR</P><P>not sending events from both splunk and non-splunk path.</P><P>Looking for a regex to be added as blacklist to ignore 4688 coming from *.exe files part of splunk universal forwarder path/directory</P><P>&nbsp;</P><P>blacklist = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"</P><P>blacklist = EventCode="4688" Message="New Process Name: (?:[a-zA-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.+\.exe)"</P><P>blacklist = EventCode="4688" Message="New Process Name: (?:[a-zA-Z]:\\\\Program Files\\\\Splunk(?:\\\\UniversalForwarder)?\\\\bin\\\\.+\\.exe)"</P><P>blacklist = EventCode="4688" Message="New Process Name: C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\"</P><P>blacklist = EventCode="4688" Message="New Process Name: C:\\Program Files\\SplunkUniversalForwarder\\bin\\"</P><P>blacklist = EventCode="4688" Message="New Process Name: (?i)[A-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.*\\.exe)"</P><P>blacklist = EventCode="4688" Message="New Process Name:\s*[A-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.+\\.exe)"</P><P>blacklist = EventCode="4688" Message="New Process Name:\s*[A-Z]:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\.*\\.exe"</P> Thu, 06 Mar 2025 08:43:37 GMT sureshkumaar 2025-03-06T08:43:37Z https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/740999#M21796 <P>Tried below regex to blacklist OR ignore 4688 event codes from the *.exe coming from the splunk forwarder path/directory</P><P>But not working, it's considering 4688 from splunk and non-splunk path</P><P>OR</P><P>not sending events from both splunk and non-splunk path.</P><P>Looking for a regex to be added as blacklist to ignore 4688 coming from *.exe files part of splunk universal forwarder path/directory</P><P>&nbsp;</P><P>blacklist = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"</P><P>blacklist = EventCode="4688" Message="New Process Name: (?:[a-zA-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.+\.exe)"</P><P>blacklist = EventCode="4688" Message="New Process Name: (?:[a-zA-Z]:\\\\Program Files\\\\Splunk(?:\\\\UniversalForwarder)?\\\\bin\\\\.+\\.exe)"</P><P>blacklist = EventCode="4688" Message="New Process Name: C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\"</P><P>blacklist = EventCode="4688" Message="New Process Name: C:\\Program Files\\SplunkUniversalForwarder\\bin\\"</P><P>blacklist = EventCode="4688" Message="New Process Name: (?i)[A-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.*\\.exe)"</P><P>blacklist = EventCode="4688" Message="New Process Name:\s*[A-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.+\\.exe)"</P><P>blacklist = EventCode="4688" Message="New Process Name:\s*[A-Z]:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\.*\\.exe"</P> Thu, 06 Mar 2025 08:43:37 GMT https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/740999#M21796 sureshkumaar 2025-03-06T08:43:37Z https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/741004#M21799 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206567">@sureshkumaar</a>&nbsp;</P><P>Please could you post a sample event which is being ingested (which shouldnt) so we can help work to provide the best blacklist values for this?</P><P>In the meantime, you might find some useful responses in the following:</P><P><A href="https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Process-Name-inputs-conf-Blacklisting-Regex-Help/m-p/502522" target="_blank">https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Process-Name-inputs-conf-Blacklisting-Regex-Help/m-p/502522</A></P><P><A href="https://community.splunk.com/t5/Getting-Data-In/How-to-edit-inputs-conf-to-blacklist-an-eventcode/td-p/316734?_gl=1*vt66n4*_gcl_au*NjAzOTAxOTc1LjE3MzY5MzU2MTE.*FPAU*NjAzOTAxOTc1LjE3MzY5MzU2MTE.*_ga*MTE2ODIxOTU0My4xNjIyNzA5MTMz*_ga_5EPM2P39FV*MTc0MTI1MjYwMi4yOTEuMS4xNzQxMjUzNDQwLjAuMC4zMTYwNzI5MDI.*_fplc*RUlmMXZYMldIQzFKUEdsamdtbjElMkJVSDNiZ21tZ0pBMGJKUSUyRnA5VSUyRnRnSkpxczVBSWV5dmRWMmF0WiUyQk9nY3REUTZhOHclMkZwUTUyTlBZdmRlc0gyJTJGcG9NNnFDM0NDRWdtNjlheDUlMkZSeWsyNlNLYzAlM0Q" target="_blank">https://community.splunk.com/t5/Getting-Data-In/How-to-edit-inputs-conf-to-blacklist-an-eventcode/td-p/316734</A></P><P>Thanks</P> Thu, 06 Mar 2025 09:34:22 GMT https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/741004#M21799 livehybrid 2025-03-06T09:34:22Z https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/741021#M21800 <P>Aren't you by any chance ingesting your events as XML?</P> Thu, 06 Mar 2025 10:50:15 GMT https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/741021#M21800 PickleRick 2025-03-06T10:50:15Z https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/741089#M21803 <P>Below is the events for 4688 where the code gets captured in a field called "EventCode"</P><P>&nbsp;</P><DIV>A new process has been created.</DIV><DIV>&nbsp;</DIV><DIV>Creator Subject:</DIV><DIV><SPAN>Security ID: NT AUTHORITY\SYSTEM</SPAN></DIV><DIV><SPAN>Account Name: SERVERNAME$</SPAN></DIV><DIV><SPAN>Account Domain: TRUE</SPAN></DIV><DIV><SPAN>Logon ID: 0x3E7</SPAN></DIV><DIV>&nbsp;</DIV><DIV>Target Subject:</DIV><DIV><SPAN>Security ID:</SPAN></DIV><DIV><SPAN>Account Name:</SPAN></DIV><DIV><SPAN>Account Domain:</SPAN></DIV><DIV><SPAN>Logon ID:</SPAN></DIV><DIV>&nbsp;</DIV><DIV>Process Information:</DIV><DIV><SPAN>New Process ID: 0x2650</SPAN></DIV><DIV><SPAN>New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe</SPAN></DIV><DIV><SPAN>Token Elevation Type: TokenElevationTypeDefault (1)</SPAN></DIV><DIV><SPAN>Creator Process ID: 0xf7c</SPAN></DIV><DIV><SPAN>Process Command Line:</SPAN></DIV> Fri, 07 Mar 2025 08:40:09 GMT https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/741089#M21803 sureshkumaar 2025-03-07T08:40:09Z https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/741090#M21804 <P>below is inputs.conf before blacklist lines</P><P>&nbsp;</P><P>[WinEventLog://Security]<BR />disabled = 0<BR />checkpointInterval = 5<BR />disabled = 0<BR />start_from = oldest<BR />renderXml = false<BR />evt_resolve_ad_obj = 1</P> Fri, 07 Mar 2025 08:41:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/741090#M21804 sureshkumaar 2025-03-07T08:41:29Z https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/741110#M21805 <P>OK. You seem to be struggling a bit with the regex. I haven't read your attempts&nbsp; thoroughly before but now I see that they seem to have some mistakes in one point or another.</P><P>Use regex101.com to verify your regexes. They don't need any escaping in config as long as you chose proper delimiters which do not interfere with the regex contents (so if you want to enclose your regex with quotes, your regex itself mustn't contain quotes and so on).</P><P>And I wouldn't worry about whether the group is capturing or not. It's not that important memory-wise in this case and you're not using the groups for anything anyway.</P> Fri, 07 Mar 2025 12:40:14 GMT https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/741110#M21805 PickleRick 2025-03-07T12:40:14Z https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/741660#M21848 <P>Issue is fixed, below excluded the events when splunk*.exe is found for 4688 event code.</P><P>blacklist3 = EventCode="4688" Message=".*(splunk-.*\.exe|splunk\.exe|splunkd\.exe).*"</P> Thu, 13 Mar 2025 07:47:43 GMT https://community.splunk.com/t5/Splunk-Enterprise/4688-event-code-to-be-excluded-from-universal-forwarder/m-p/741660#M21848 sureshkumaar 2025-03-13T07:47:43Z