https://community.splunk.com/t5/Getting-Data-In/Prevent-ingestion-of-quot-NT-AUTHORITY-SYSTEM-quot-EventCode/m-p/693667#M115304 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/40393">@sswigart</a>&nbsp;,</P><P>as you can read at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.2.2/Admin/Inputsconf#Event_Log_filtering" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.2.2/Admin/Inputsconf#Event_Log_filtering, </A></P><P>if the logs you indicated aren't relevant for your searches, you can follow the instructons in the above link, adding a blacklist to your inputs.conf in the WinEventLog:Security stanza.</P><P>Only one attention point: in the blacklist you must use a regex, not a string to search.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 18 Jul 2024 06:12:53 GMT gcusello 2024-07-18T06:12:53Z https://community.splunk.com/t5/Getting-Data-In/Prevent-ingestion-of-quot-NT-AUTHORITY-SYSTEM-quot-EventCode/m-p/693613#M115297 <P>I am exceeding my 5GB license. I have determine the problem by doing a 24 hour search using the following:</P> <LI-CODE lang="markup">index="winlogs" host=filesvr souce="WinEventLog:Security" EventCode=4663 Accesses="ReadData (or ListDirectory) Security_ID="NT AUTHORITY\SYSTEM"</LI-CODE> <P>The above search returns 4.5 million plus records.</P> <P>My question is how do I stop Splunk from ingesting&nbsp; &nbsp; &nbsp;Security_ID="NT AUTHORITY\SYSTEM" of EventCode 4663?</P> <P>Would appreciate any assistance\suggestions given.</P> Wed, 17 Jul 2024 14:11:58 GMT https://community.splunk.com/t5/Getting-Data-In/Prevent-ingestion-of-quot-NT-AUTHORITY-SYSTEM-quot-EventCode/m-p/693613#M115297 sswigart 2024-07-17T14:11:58Z https://community.splunk.com/t5/Getting-Data-In/Prevent-ingestion-of-quot-NT-AUTHORITY-SYSTEM-quot-EventCode/m-p/693667#M115304 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/40393">@sswigart</a>&nbsp;,</P><P>as you can read at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.2.2/Admin/Inputsconf#Event_Log_filtering" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.2.2/Admin/Inputsconf#Event_Log_filtering, </A></P><P>if the logs you indicated aren't relevant for your searches, you can follow the instructons in the above link, adding a blacklist to your inputs.conf in the WinEventLog:Security stanza.</P><P>Only one attention point: in the blacklist you must use a regex, not a string to search.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 18 Jul 2024 06:12:53 GMT https://community.splunk.com/t5/Getting-Data-In/Prevent-ingestion-of-quot-NT-AUTHORITY-SYSTEM-quot-EventCode/m-p/693667#M115304 gcusello 2024-07-18T06:12:53Z https://community.splunk.com/t5/Getting-Data-In/Prevent-ingestion-of-quot-NT-AUTHORITY-SYSTEM-quot-EventCode/m-p/693737#M115309 <P>Actually, you can blacklist by eventcodes or by regex. (and with a caveat that if you use renderXml=true, you have to specify blacklist differently).</P> Thu, 18 Jul 2024 12:48:31 GMT https://community.splunk.com/t5/Getting-Data-In/Prevent-ingestion-of-quot-NT-AUTHORITY-SYSTEM-quot-EventCode/m-p/693737#M115309 PickleRick 2024-07-18T12:48:31Z