https://community.splunk.com/t5/Getting-Data-In/Windows-inputs-conf-blacklist-testing-process/m-p/500484#M85296 <P>Hi @adalbor,</P> <P>This is very well details here :<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Configuration_settings_for_monitoring_Windows_Event_Logs">https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Configuration_settings_for_monitoring_Windows_Event_Logs</A><BR /> Have a look at the <CODE>blacklist</CODE> section there.</P> <P>You can even find advanced configurations and examples here : <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Create_advanced_filters_with_.27whitelist.27_and_.27blacklist.27">https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Create_advanced_filters_with_.27whitelist.27_and_.27blacklist.27</A></P> <P>You can use an example event from Splunk to test your regex. After searching for the event you wish to test out, add <CODE>|table _raw</CODE> to your query to see the raw log line.</P> <P>Let me know if you need more details.</P> <P>Cheers,<BR /> David</P> Tue, 03 Dec 2019 16:22:28 GMT DavidHourani 2019-12-03T16:22:28Z https://community.splunk.com/t5/Getting-Data-In/Windows-inputs-conf-blacklist-testing-process/m-p/500483#M85295 <P>Does anyone out there have a best practice for testing Windows event inputs.conf blacklist entries?</P> <P>What actual event/part of the event is used for testing? The data in the splunk event gathered from a search? Or am I going straight to the windows box and copying the text from the General tab or the Friendly view?</P> <P>I use regex101 and regexr and even sublime when needed to test regex's but I feel like looking through multiple posts everyone achieves their goals a little bit differently.</P> <P>Would be great if Splunk provided a step by step document on how best to achieve this and ensure it works.</P> <P>Thanks, <BR /> Andrew</P> Tue, 03 Dec 2019 16:14:27 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-inputs-conf-blacklist-testing-process/m-p/500483#M85295 adalbor 2019-12-03T16:14:27Z https://community.splunk.com/t5/Getting-Data-In/Windows-inputs-conf-blacklist-testing-process/m-p/500484#M85296 <P>Hi @adalbor,</P> <P>This is very well details here :<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Configuration_settings_for_monitoring_Windows_Event_Logs">https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Configuration_settings_for_monitoring_Windows_Event_Logs</A><BR /> Have a look at the <CODE>blacklist</CODE> section there.</P> <P>You can even find advanced configurations and examples here : <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Create_advanced_filters_with_.27whitelist.27_and_.27blacklist.27">https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Create_advanced_filters_with_.27whitelist.27_and_.27blacklist.27</A></P> <P>You can use an example event from Splunk to test your regex. After searching for the event you wish to test out, add <CODE>|table _raw</CODE> to your query to see the raw log line.</P> <P>Let me know if you need more details.</P> <P>Cheers,<BR /> David</P> Tue, 03 Dec 2019 16:22:28 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-inputs-conf-blacklist-testing-process/m-p/500484#M85296 DavidHourani 2019-12-03T16:22:28Z https://community.splunk.com/t5/Getting-Data-In/Windows-inputs-conf-blacklist-testing-process/m-p/500485#M85297 <P>Thanks for the advice on using the _raw.</P> <P>I've looked at the official documentation quite a few times and there is still left to be desired. It goes into some simple use cases but nothing actually advanced in my opinion.</P> Tue, 03 Dec 2019 16:29:00 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-inputs-conf-blacklist-testing-process/m-p/500485#M85297 adalbor 2019-12-03T16:29:00Z https://community.splunk.com/t5/Getting-Data-In/Windows-inputs-conf-blacklist-testing-process/m-p/500486#M85298 <P>yeah.. It's called advanced in the documentation, but as usual the "advanced" that is documented is only there to help build things... surely nothing compared to what you can do with ninja skills and good imagination. </P> <P>Anyway let me know if you still anything else and please accept the answer if it was helpful <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 03 Dec 2019 16:33:31 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-inputs-conf-blacklist-testing-process/m-p/500486#M85298 DavidHourani 2019-12-03T16:33:31Z