https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121660#M25215 <P>Just to be sure, can you try changing the order of event ids in blacklist?</P> Wed, 22 Jan 2014 18:58:42 GMT somesoni2 2014-01-22T18:58:42Z https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121657#M25212 <P>Hello, friends!</P> <P>We have:<BR /> Splunk server (indexer) and computer with WinXP and UniversalForwarder.<BR /> The task was to remove some windows security events from Splunk indexer. <BR /> It was solved by using the parameter "<STRONG>blacklist</STRONG>" in <STRONG>inputs.conf</STRONG> on computer with WinXP. </P> <UL> <LI><P>inputs.conf</P> <P><CODE>[WinEventLog://Security]<BR /> disabled = false<BR /> blacklist = 538,540</CODE></P></LI> </UL> <P>And all that is needed work, the data came from the EventLog except the two specified ID (538 and 540). </P> <P>The problem started when I decided to add a third ID (576).<BR /> I change the inputs.conf:</P> <P><CODE>[WinEventLog://Security]<BR /> disabled = false<BR /> blacklist = 538,540,576</CODE></P> <P>Save, restart splunk service. </P> <P>And any event from the EventLog from this machine stopped coming to indexer. <BR /> If i change inputs.conf to original appearance (when two of Event) - all working again as necessary.</P> <P>What can be caused by this problem?</P> <P>Thx!</P> Wed, 22 Jan 2014 12:51:26 GMT https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121657#M25212 templier 2014-01-22T12:51:26Z https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121658#M25213 <P>Do you get other events from the forwarder? Can you see any errors or warnings from the forwarder when searching in <CODE>index=_internal</CODE>?</P> Wed, 22 Jan 2014 13:00:44 GMT https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121658#M25213 laserval 2014-01-22T13:00:44Z https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121659#M25214 <P>Yes, other data from this machine come correct. Disappears only EventLog.</P> Wed, 22 Jan 2014 13:17:29 GMT https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121659#M25214 templier 2014-01-22T13:17:29Z https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121660#M25215 <P>Just to be sure, can you try changing the order of event ids in blacklist?</P> Wed, 22 Jan 2014 18:58:42 GMT https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121660#M25215 somesoni2 2014-01-22T18:58:42Z https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121661#M25216 <P>blacklist = 576,538,540 and blacklist = 576,538 - the same result <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> <BR /> As an option to make the whitelist with all EventID Except for these ID, but will try it later. I think this can not be caused by the free license.</P> Thu, 23 Jan 2014 06:17:40 GMT https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121661#M25216 templier 2014-01-23T06:17:40Z https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121662#M25217 <P>Have you checked the event log to see if there are events not with those ID's? just want to rule out the obvious etc...</P> Wed, 12 Mar 2014 10:24:06 GMT https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121662#M25217 Pierceyuk 2014-03-12T10:24:06Z https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121663#M25218 <P>Of course I checked a security log for the presence of this ID's. In security log entry is present, they are not present in splunk.</P> Wed, 12 Mar 2014 12:13:17 GMT https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121663#M25218 templier 2014-03-12T12:13:17Z https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121664#M25219 <P>have u tried blacklist =(576|538|540)</P> Wed, 12 Mar 2014 12:15:40 GMT https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121664#M25219 rakesh_498115 2014-03-12T12:15:40Z https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121665#M25220 <P>The blacklist parameter is a regular expression:</P> <P><A href="http://regexone.com">http://regexone.com</A></P> <P>This worked in my test:</P> <P>blacklist = 538|540|576</P> <P>Here is the documentation for the parameter:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf</A></P> Wed, 12 Mar 2014 13:04:48 GMT https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121665#M25220 bshuler_splunk 2014-03-12T13:04:48Z https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121666#M25221 <P>Thx. Сheck shortly.<BR /> The last time was not the time to do it</P> Mon, 31 Mar 2014 13:19:55 GMT https://community.splunk.com/t5/Getting-Data-In/Parameter-quot-blacklist-quot-in-inputs-conf/m-p/121666#M25221 templier 2014-03-31T13:19:55Z