https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/438189#M76412 <P>Thanks , I tried it as well.. Did not work , still see the events come in.</P> Fri, 13 Jul 2018 22:37:18 GMT nmohammed 2018-07-13T22:37:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/438185#M76408 <P>Trying to blacklist specific windows event logs based on event code and task category, but doesn't work .</P> <PRE><CODE>[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 index = winevents renderXml=false blacklist1=EventCode="5145" TaskCategory="(Detailed File Share|File Share)" Example event - 07/13/2018 11:22:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=SomeServer TaskCategory=File Share OpCode=Info RecordNumber=5487448804 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: S-1-5-21-xxxxxxxxx-xxxxxx-xxxxxx-xxxx Account Name: cz9_rmc_s3_CIFS$ Account Domain: domain Logon ID: 0x3D9AC95C1 Network Information: Object Type: File Source Address: 10.xxx.xx.xxx Source Port: 45088 Share Information: Share Name: \\*\IPC$ Share Path: Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) </CODE></PRE> Fri, 13 Jul 2018 18:52:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/438185#M76408 nmohammed 2018-07-13T18:52:47Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/438186#M76409 <P>try this </P> <P>blacklist=EventCode=%^5145$% TaskCategory=%(Detailed File Share|File Share)%</P> Fri, 13 Jul 2018 18:59:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/438186#M76409 CarsonZa 2018-07-13T18:59:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/438187#M76410 <P>Try using just <CODE>blacklist</CODE> instead of <CODE>blacklist1</CODE>. You can have upto 10 blacklist filters applied but it should start with <CODE>blacklist</CODE>, <CODE>blacklist1</CODE>, <CODE>blacklist2</CODE>...etc till <CODE>blacklist9</CODE>.</P> Fri, 13 Jul 2018 19:11:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/438187#M76410 somesoni2 2018-07-13T19:11:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/438188#M76411 <P>Tried this - </P> <P>[WinEventLog://Security]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 0<BR /> checkpointInterval = 5<BR /> index = winevents<BR /> renderXml=false<BR /> blacklist1=EventCode="5145" TaskCategory="Detailed File Share"<BR /> blacklist1=EventCode="5145" TaskCategory="File Share"</P> <P>Did not work. Still see the events come in.</P> Tue, 29 Sep 2020 20:26:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/438188#M76411 nmohammed 2020-09-29T20:26:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/438189#M76412 <P>Thanks , I tried it as well.. Did not work , still see the events come in.</P> Fri, 13 Jul 2018 22:37:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/438189#M76412 nmohammed 2018-07-13T22:37:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/438190#M76413 <P>Actually this worked. I had two different EventCodes sending the Same Category. </P> <P>Thanks @CarsonZa</P> Fri, 13 Jul 2018 23:33:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/438190#M76413 nmohammed 2018-07-13T23:33:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/513100#M87005 <P>Thank you for sharing. I found this helpful.</P> Fri, 07 Aug 2020 21:17:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-events-for-a-specific-event-code-and-task/m-p/513100#M87005 gurulee 2020-08-07T21:17:06Z