topic Re: How to blacklist specific occurrences of a particular eventcode? in Getting Data In

How to blacklist specific occurrences of a particular eventcode?

jh007 — Tue, 01 Aug 2017 22:05:29 GMT

I am attempting to blacklist a series of process creation events (eventcode 4688) because they are noise and will break my index cap. In short, I need to be able to keep 4688 events while filtering out the garbage. Here is what I have so far:

blacklist1 = EventCode="4688" Message="(.*splunk.*|.*WmiP.*|.*SearchFilterHost.*|.*taskhost.*|.*TrustedInstaller.*|.*dllhost.*).*.exe"

Any help would be greatly appreciated.

Re: How to blacklist specific occurrences of a particular eventcode?

gcusello — Wed, 02 Aug 2017 07:47:05 GMT

Hi jh007,
you could filter these events on the indexer before indexing:
in props.conf

TRANSFORMS-set-AS=set_AS,set_nullqueue

in transforms.conf

# nullqueue #
[set_nullqueue]
REGEX=EventCode\=4688
DEST_KEY=queue
FORMAT=nullQueue
# AS #
[set_AS]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

Beware how it's written EventCode=4688: if there are spaces or brackets modify my regex.

Bye.
Giuseppe

Re: How to blacklist specific occurrences of a particular eventcode?

jh007 — Wed, 02 Aug 2017 15:37:43 GMT

Hello Giuseppe,

I think you may of misunderstood what I was asking. I need to keep 4688 events except for the few specific ones I listed in my post. My issue has been figuring out how to make the blacklist acknowledge which components I want it to filter. All my previous attempts to filter specific 4688 events have stopped ALL 4688 events from coming in rather than ones I don't want. In summary, I need to know if there is in fact a way to blacklist what I am trying to do just like Splunk's documentation has suggested.

Thank you
James

Re: How to blacklist specific occurrences of a particular eventcode?

gcusello — Wed, 02 Aug 2017 15:44:26 GMT

Hi jh007,
if your need is to take all events with 4688 except the ones you listed, you have to modify my transforms.conf (props.conf is the same) as following

 # nullqueue #
 [set_nullqueue]
 REGEX=Message\=\"(.*splunk.*|.*WmiP.*|.*SearchFilterHost.*|.*taskhost.*|.*TrustedInstaller.*|.*dllhost.*).*.exe\"
 DEST_KEY=queue
 FORMAT=nullQueue
 # AS #
 [set_AS]
 REGEX=EventCode\=4688
 DEST_KEY = queue
 FORMAT = indexQueue

Bye.
Giuseppe

Re: How to blacklist specific occurrences of a particular eventcode?

jh007 — Tue, 29 Sep 2020 15:21:56 GMT

Hello Giuseppe,

So I got the blacklist working for one event through the inputs.conf file. (see below)

blacklist1 = EventCode="4688" Message=".*[\S\s]*Account\sName:\s+[\S+]+[\$]"

Thank you for your help