https://community.splunk.com/t5/Getting-Data-In/Can-Universal-Forwaders-filter-in-their-input-conf-file/m-p/485303#M85830 <P>I am attempting to filter an eventID 5156 with an application name of "\device\harddiskvolume5\program files\bonjour\mdnsresponder.exe" I am using a Universal Forwarder but I am seeing mixed responses saying this is not possible on universal Forwarder. My Universal Forwarders point to my Indexer.</P> Sun, 07 Jun 2020 00:19:20 GMT splunktrainingu 2020-06-07T00:19:20Z https://community.splunk.com/t5/Getting-Data-In/Can-Universal-Forwaders-filter-in-their-input-conf-file/m-p/485303#M85830 <P>I am attempting to filter an eventID 5156 with an application name of "\device\harddiskvolume5\program files\bonjour\mdnsresponder.exe" I am using a Universal Forwarder but I am seeing mixed responses saying this is not possible on universal Forwarder. My Universal Forwarders point to my Indexer.</P> Sun, 07 Jun 2020 00:19:20 GMT https://community.splunk.com/t5/Getting-Data-In/Can-Universal-Forwaders-filter-in-their-input-conf-file/m-p/485303#M85830 splunktrainingu 2020-06-07T00:19:20Z https://community.splunk.com/t5/Getting-Data-In/Can-Universal-Forwaders-filter-in-their-input-conf-file/m-p/485304#M85831 <P>Check this out.</P> <BLOCKQUOTE> <P><A href="https://www.splunk.com/en_us/blog/tips-and-tricks/controlling-4662-messages-in-the-windows-security-event-log.html">https://www.splunk.com/en_us/blog/tips-and-tricks/controlling-4662-messages-in-the-windows-security-event-log.html</A></P> </BLOCKQUOTE> <P>I think this is along the line of what you are looking for. You need to use regex to create the filter.</P> <P>(Edit: Formatting)</P> Thu, 30 Apr 2020 20:19:29 GMT https://community.splunk.com/t5/Getting-Data-In/Can-Universal-Forwaders-filter-in-their-input-conf-file/m-p/485304#M85831 dsctm3 2020-04-30T20:19:29Z