topic Re: Whitelist stacking issues in inputs.conf in Splunk Dev

Whitelist stacking issues in inputs.conf

benbabich — Mon, 07 May 2018 18:31:17 GMT

I only want Error and Warning events from Windows System logs, except for a couple of individual events (104 and 1074) which I want event though they're 'information' events.

[WinEventLog://System]
disabled = 0
whitelist1 = 104,1074
whitelist2 = Type=/Error|Warning/

If I have just whitelist 1, I get the 1074 events (which are informational) but when I add whitelist 2, I only get Error and Warning events but no longer get 1074 events. How to I get both?

Re: Whitelist stacking issues in inputs.conf

benbabich — Mon, 14 May 2018 19:16:12 GMT

Once Regex enters the fray under [WinEventLog://System], the other system (commas) is thrown out the window.
"You have to use exclusively just event code (like whitelist1), or key/value regexes (like whitelist2). You can't mix and match in the same input stanza".
Got that info from PeanutButterW0lf over on reddit.com/r/splunk, so props to him.

This works:
[WinEventLog://System]
disabled = 0
whitelist = EventCode="104|1074|2020|6008|6009|12295|29223|40960|40961"
whitelist1 = Type=/Error|Warning/

Re: Whitelist stacking issues in inputs.conf

jcrabb_splunk — Tue, 15 May 2018 12:19:38 GMT

Sorry I hadn't had time to do testing for this as I was traveling but glad you got it resolved.