https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-multiple-events-on-same-line-Can-I-use/m-p/290969#M55501 <P>You can either filter by eventcode or regex. According to Splunk Docs...You can specify one of two formats:</P> <P>One or more Event Log event codes or event IDs (Event Log code/ID format.)<BR /> One or more sets of keys and regular expressions. (Advanced filtering format.)<BR /> You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.</P> <P>Examples -<BR /> event code blacklist<BR /> blacklist1 = 1100,1101,4624,4634,4647-4649</P> <P>regex blacklist<BR /> blacklist1 = EventCode=%^200$% User=%drodman%</P> <P>You can specify up to 10 blacklist per input stanza. If you need more than this you might want to consider a whitelist strategy instead. You just whitelist the codes you need instead of blacklisting the ones you don't.</P> <P>More details here: <A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Event_Log_whitelist_and_blacklist_formats">http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Event_Log_whitelist_and_blacklist_formats</A> </P> Mon, 20 Nov 2017 18:56:36 GMT aivarson_splunk 2017-11-20T18:56:36Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-multiple-events-on-same-line-Can-I-use/m-p/290968#M55500 <P>I want to blacklist 4698, 4699, 4700, 4701,4702 if they contain 'Microsoft\Windows' in the Task Name.</P> <P>Would either of these work? <BR /> blacklist1 = EventCode="4698,4699,4700,4701,4702" Message="(?:Task Name:).+(?:Microsoft\Windows?)"<BR /> or <BR /> blacklist1 = EventCode="4698-4702" Message="(?:Task Name:).+(?:Microsoft\Windows?)"</P> <P>Or would I have to have a separate line for each, such as :<BR /> blacklist1 = EventCode="4698" Message="(?:Task Name:).+(?:Microsoft\Windows?)"<BR /> blacklist2 = EventCode="4699" Message="(?:Task Name:).+(?:Microsoft\Windows?)"<BR /> etc</P> Mon, 20 Nov 2017 16:21:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-multiple-events-on-same-line-Can-I-use/m-p/290968#M55500 benbabich 2017-11-20T16:21:31Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-multiple-events-on-same-line-Can-I-use/m-p/290969#M55501 <P>You can either filter by eventcode or regex. According to Splunk Docs...You can specify one of two formats:</P> <P>One or more Event Log event codes or event IDs (Event Log code/ID format.)<BR /> One or more sets of keys and regular expressions. (Advanced filtering format.)<BR /> You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.</P> <P>Examples -<BR /> event code blacklist<BR /> blacklist1 = 1100,1101,4624,4634,4647-4649</P> <P>regex blacklist<BR /> blacklist1 = EventCode=%^200$% User=%drodman%</P> <P>You can specify up to 10 blacklist per input stanza. If you need more than this you might want to consider a whitelist strategy instead. You just whitelist the codes you need instead of blacklisting the ones you don't.</P> <P>More details here: <A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Event_Log_whitelist_and_blacklist_formats">http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Event_Log_whitelist_and_blacklist_formats</A> </P> Mon, 20 Nov 2017 18:56:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-multiple-events-on-same-line-Can-I-use/m-p/290969#M55501 aivarson_splunk 2017-11-20T18:56:36Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-multiple-events-on-same-line-Can-I-use/m-p/290970#M55502 <P>Since Message="(?:Task Name:).+(?:Microsoft\Windows?)" is in regex form, the "EventCode=" must use regex as well. </P> <P>You will have to break up "EventCode=" into two separate blacklist. For example:</P> <P>blacklist = EventCode="^469([8-9])$" Message=blah<BR /> blacklist1 = EventCode="^470([0-2])$" Message=blah</P> <P>This Splunk Doc provides an example of whitelisting, but both are similar.</P> <P><A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/MonitorWindowseventlogdata">http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/MonitorWindowseventlogdata</A></P> Mon, 20 Nov 2017 21:47:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-multiple-events-on-same-line-Can-I-use/m-p/290970#M55502 chanthongphiob 2017-11-20T21:47:28Z