topic Re: How do I blacklist events with a field containing a specific value? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-events-with-a-field-containing-a-specific/m-p/490913#M83908 <P>The technique for blacklisting Windows event log data only works for Windows event log data. To ignore other events, use props and transforms to send selected events to the NULL queue. See <A href="https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues">https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A> and <A href="https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html">https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html</A> .</P> Mon, 04 May 2020 21:06:31 GMT richgalloway 2020-05-04T21:06:31Z How do I blacklist events with a field containing a specific value? https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-events-with-a-field-containing-a-specific/m-p/490912#M83907 <P>I have a set of JSON data and I would like to ignore (blacklist) all events where the field "id.orig_h" contains the value "192.168.0.1".</P> <P>So far, I've tried using the blacklisting procedure for Windows EventCodes as a model, but with no success. Example EventCode blacklist:</P> <P>[WinEventLog:Security]<BR /> blacklist1 = EventCode = "4662" Message = "Account Name:\s+(example account)"</P> <P>What I've tried:</P> <P>1) Adding the blacklist underneath the monitor stanza in inputs.conf</P> <P>[monitor:///opt/bro/logs/current]<BR /> index = yada<BR /> sourcetype = yadayada<BR /> blacklist = id.orig_h = "192.168.0.1"</P> <P>2) Adding the blacklist under a separate sourcetype stanza in inputs.conf</P> <P>[monitor:///opt/bro/logs/current]<BR /> index = yada<BR /> sourcetype = yadayada</P> <P>[yadayada]<BR /> blacklist = id.orig_h = "192.168.0.1"</P> <P>How can I achieve this?</P> Mon, 04 May 2020 20:45:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-events-with-a-field-containing-a-specific/m-p/490912#M83907 dbuehler 2020-05-04T20:45:03Z Re: How do I blacklist events with a field containing a specific value? https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-events-with-a-field-containing-a-specific/m-p/490913#M83908 <P>The technique for blacklisting Windows event log data only works for Windows event log data. To ignore other events, use props and transforms to send selected events to the NULL queue. See <A href="https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues">https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A> and <A href="https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html">https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html</A> .</P> Mon, 04 May 2020 21:06:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-blacklist-events-with-a-field-containing-a-specific/m-p/490913#M83908 richgalloway 2020-05-04T21:06:31Z