https://community.splunk.com/t5/Getting-Data-In/What-Windows-Event-Codes-are-generally-acceptable-to-filter-out/m-p/13345#M1185 <P>You can filter using multiple values or one value.</P> <P>See this answer for an example: <A href="http://answers.splunk.com/questions/577/how-do-you-filter-windows-event-log" rel="nofollow">http://answers.splunk.com/questions/577/how-do-you-filter-windows-event-log</A></P> <P>I filter out EventCodes that are irrelevant. This site gives you a down and dirty look at WindowsEventLog:</P> <P><A href="http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx" rel="nofollow">http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx</A></P> <P>The webinars in the site are pretty helpful as well. Once you've built your list of events to filter, apply them on your splunk instance.</P> Thu, 13 May 2010 02:28:05 GMT BunnyHop 2010-05-13T02:28:05Z https://community.splunk.com/t5/Getting-Data-In/What-Windows-Event-Codes-are-generally-acceptable-to-filter-out/m-p/13344#M1184 <P>Is there a good reference list or someone that can post what ways Windows Event Logs are being filtered? I'm particularly interested in those from a security perspective. For example, I get a flood of successful logins on an IIS web server from the IUSR account, which is of little value to me.</P> Wed, 12 May 2010 23:15:55 GMT https://community.splunk.com/t5/Getting-Data-In/What-Windows-Event-Codes-are-generally-acceptable-to-filter-out/m-p/13344#M1184 jones4bob 2010-05-12T23:15:55Z https://community.splunk.com/t5/Getting-Data-In/What-Windows-Event-Codes-are-generally-acceptable-to-filter-out/m-p/13345#M1185 <P>You can filter using multiple values or one value.</P> <P>See this answer for an example: <A href="http://answers.splunk.com/questions/577/how-do-you-filter-windows-event-log" rel="nofollow">http://answers.splunk.com/questions/577/how-do-you-filter-windows-event-log</A></P> <P>I filter out EventCodes that are irrelevant. This site gives you a down and dirty look at WindowsEventLog:</P> <P><A href="http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx" rel="nofollow">http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx</A></P> <P>The webinars in the site are pretty helpful as well. Once you've built your list of events to filter, apply them on your splunk instance.</P> Thu, 13 May 2010 02:28:05 GMT https://community.splunk.com/t5/Getting-Data-In/What-Windows-Event-Codes-are-generally-acceptable-to-filter-out/m-p/13345#M1185 BunnyHop 2010-05-13T02:28:05Z https://community.splunk.com/t5/Getting-Data-In/What-Windows-Event-Codes-are-generally-acceptable-to-filter-out/m-p/13346#M1186 <P>Splunk 6 makes this easier now with blacklists for windows inputs.</P> <PRE><CODE>[WinEventLog:Security] disabled = false blacklist = 5156-5157 </CODE></PRE> <P>It also makes suppressing the message payload much easier. </P> <PRE><CODE>[WinEventLog:Security] disabled = 0 suppress_text = 1 </CODE></PRE> <P><A href="http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/">http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/</A></P> Sun, 09 Mar 2014 00:53:58 GMT https://community.splunk.com/t5/Getting-Data-In/What-Windows-Event-Codes-are-generally-acceptable-to-filter-out/m-p/13346#M1186 chaker 2014-03-09T00:53:58Z https://community.splunk.com/t5/Getting-Data-In/What-Windows-Event-Codes-are-generally-acceptable-to-filter-out/m-p/13347#M1187 <P>This does not work on Universal Forwarders, correct?</P> Mon, 19 May 2014 20:12:49 GMT https://community.splunk.com/t5/Getting-Data-In/What-Windows-Event-Codes-are-generally-acceptable-to-filter-out/m-p/13347#M1187 denisevw 2014-05-19T20:12:49Z