https://community.splunk.com/t5/Getting-Data-In/Why-is-blacklisting-Windows-event-logs-on-a-deployment-server/m-p/436868#M76214 <P>If you want to deploy the modified <CODE>inputs.conf</CODE> to deployment clients, you must put the changed app into <CODE>$SPLUNK_HOME/etc/deployment-apps/YourAppNameHere/local</CODE> and configure a server class to deploy it.</P> <P>cheers, MuS</P> Thu, 12 Jul 2018 21:38:57 GMT MuS 2018-07-12T21:38:57Z https://community.splunk.com/t5/Getting-Data-In/Why-is-blacklisting-Windows-event-logs-on-a-deployment-server/m-p/436866#M76212 <P>I tried following the documentation for blacklisting Windows event logs in Splunk 6.3.1 without success. I tried editing Splunk/etc/system/local/inputs.conf as well as Splunk/etc/apps/Splunk_TA_windows/local</P> Tue, 29 Sep 2020 20:26:00 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-blacklisting-Windows-event-logs-on-a-deployment-server/m-p/436866#M76212 nick405060 2020-09-29T20:26:00Z https://community.splunk.com/t5/Getting-Data-In/Why-is-blacklisting-Windows-event-logs-on-a-deployment-server/m-p/436867#M76213 <P>I posted this question just so that I could answer it for the Splunk community in case it helps anyone else out. If someone could convert this to an answer that would be great. Copied and pasted from an email to a coworker:</P> <P>Here’s some notes regarding blacklisting in Splunk (note that this differs sharply from the official/flawed 6.3.1 documentation).</P> <P>-Blacklisting forwarded Windows event logs on the deployment server needs to be done in Splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf, followed by either a Splunk reboot or “splunk reload deploy-server” (note that I cannot get the command to work in PowerShell)<BR /> -Your first blacklist (blacklist, not blacklist1) is the only line that can take a list of event IDs. <BR /> -----blacklist = 0-4623,4625-100000<BR /> -Numbered blacklists, up to and including blacklist9, take regular expressions, but they need to be surrounded by % instead of quotation marks. Also note that wildcards are not accepted as they are in a Splunk search or Splunk XML (e.g. blacklist1 = Message=%*thingtofind*%), they need to be a strict regex (e.g. .* or [\s\S]*)<BR /> -----blacklist1 = Message=%[\s\S]*Account Name:\s*(ABCEX|Mimecast_MSESvc|APMMONITOR|ABCDC|DEF)[\s\S]*%<BR /> -You can only blacklist on: Category CategoryString ComputerName EventCode EventType Keywords LogName Message OpCode RecordNumber Sid SidType SourceName TaskCategory Type User</P> <P>Cheers,</P> Tue, 29 Sep 2020 20:26:02 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-blacklisting-Windows-event-logs-on-a-deployment-server/m-p/436867#M76213 nick405060 2020-09-29T20:26:02Z https://community.splunk.com/t5/Getting-Data-In/Why-is-blacklisting-Windows-event-logs-on-a-deployment-server/m-p/436868#M76214 <P>If you want to deploy the modified <CODE>inputs.conf</CODE> to deployment clients, you must put the changed app into <CODE>$SPLUNK_HOME/etc/deployment-apps/YourAppNameHere/local</CODE> and configure a server class to deploy it.</P> <P>cheers, MuS</P> Thu, 12 Jul 2018 21:38:57 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-blacklisting-Windows-event-logs-on-a-deployment-server/m-p/436868#M76214 MuS 2018-07-12T21:38:57Z https://community.splunk.com/t5/Getting-Data-In/Why-is-blacklisting-Windows-event-logs-on-a-deployment-server/m-p/436869#M76215 <P>one the PowerShell comment, you make sure you cd to the Splunk bin directory and that you dot source the Splunk binary:</P> <PRE><CODE>./splunk reload deploy-server </CODE></PRE> <P>Also, run PS with elevated permissions</P> Mon, 23 Jul 2018 20:38:38 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-blacklisting-Windows-event-logs-on-a-deployment-server/m-p/436869#M76215 cstump_splunk 2018-07-23T20:38:38Z