topic Re: How to create more than 10 blacklists for the same input in Getting Data In

How to create more than 10 blacklists for the same input

cjaramilloc — Tue, 07 Feb 2017 20:46:05 GMT

Hello

Anybodyw know how to create more than 10 blacklists for the same input in windows events monitoring?

According to documentation you can only use blacklist1 through blacklist9: http://docs.splunk.com/Documentation/Splunk/6.5.2/admin/Inputsconf#Windows_Event_Log_Monitor

I have a small license and every once in a while I notice some events I don’t need, and I add them to the blacklist:

[WinEventLog:Security]
disabled = 0
start_from = oldest
blacklist=5XX5,4XX8,4XX6
blacklist1=EventCode="4XX1" Message="\b. *0xO"
...
blacklist9=EventCode="5XX6" Message="Audit Sucess"

Now I'm trying to add a blacklist10 but I can’t. Do you guys know a workaround?, maybe using transforms.

Thank you

Christian

Re: How to create more than 10 blacklists for the same input

somesoni2 — Tue, 07 Feb 2017 21:01:47 GMT

You should be able to use syntax like this for remaining blacklist/event filter (using props/transforms on Indexer/Heavy forwarder).
https://answers.splunk.com/answers/107605/filtering-events-out-via-props-conf-and-transforms-conf.html

Re: How to create more than 10 blacklists for the same input

woodcock — Tue, 07 Feb 2017 21:12:57 GMT

If you have more than one blacklist, you must number them all, starting at 1. In the blacklist, you can have ranges (separated by hyphens) or individuals (separated by commas) or both. So combine as much as you can on a single line to make room for other blacklists.

blacklist1 = 5156,5158,4656,4700-5600
blacklist2 = EventCode=%^4689$% Message=%SplunkUniversalForwarder%

Additionally, the "RegEx" used, is not normal RegEx; read the documentation here:

http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf#Windows_Event_Log_Monitor
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

Re: How to create more than 10 blacklists for the same input

koshyk — Wed, 08 Feb 2017 18:55:14 GMT

Do you have heavy forwarder before your indexer? (or even indexer is Ok, but it will be cpu intensive). YOu can do props/transforms at message level within Heavy Forwarder (or indexer) and put into nullqueue so it is NOT indexed

Re: How to create more than 10 blacklists for the same input

aaraneta_splunk — Sat, 11 Mar 2017 18:23:31 GMT

@cjaramilloc - Did the answer provided by woodcock help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

Re: How to create more than 10 blacklists for the same input

cjaramilloc — Mon, 13 Mar 2017 15:15:00 GMT

I've already did the combinations, but I still need room for more

Re: How to create more than 10 blacklists for the same input

woodcock — Thu, 10 Oct 2019 16:01:19 GMT

So what did it finally look like?