https://community.splunk.com/t5/Getting-Data-In/Need-to-Disable-A-Process-Name-with-Event-ID/m-p/517493#M87571 <P>Thanks.</P><P>But it would be really helpful if you can provide a inputs config file so that i can check on the same.</P> Wed, 02 Sep 2020 14:29:10 GMT anandhalagaras1 2020-09-02T14:29:10Z https://community.splunk.com/t5/Getting-Data-In/Need-to-Disable-A-Process-Name-with-Event-ID/m-p/517479#M87565 <P>We are collecting Wineventlog data from Security, Application &amp; System.</P><P>In Security we want to disable a particular Event Code which is having the corresponding New_Process_Name.</P><P>&nbsp;EventCode=4688&nbsp;</P><P>New_Process_Message=C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection Manager\\bin\\xxxx.exe</P><P>So how can i write the inputs.conf and blacklist the Eventcode with New_Process_Message.&nbsp;</P><P>&nbsp;</P><P>Similarly I have around 30 + New_Process_Message for the EventCode=4688 so how can i blacklist all of them.</P><P>&nbsp;</P><P>Kindly help to provide the inputs.conf for the same.</P><P>&nbsp;</P> Fri, 04 Sep 2020 07:43:06 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-Disable-A-Process-Name-with-Event-ID/m-p/517479#M87565 anandhalagaras1 2020-09-04T07:43:06Z https://community.splunk.com/t5/Getting-Data-In/Need-to-Disable-A-Process-Name-with-Event-ID/m-p/517481#M87567 <P>Hi</P><P>I believe that this posting helps you.&nbsp;<A href="https://www.hurricanelabs.com/splunk-tutorials/windows-event-log-filtering-design-in-splunk" target="_blank">https://www.hurricanelabs.com/splunk-tutorials/windows-event-log-filtering-design-in-splunk</A><BR />r. Ismo</P> Wed, 02 Sep 2020 13:50:44 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-Disable-A-Process-Name-with-Event-ID/m-p/517481#M87567 isoutamo 2020-09-02T13:50:44Z https://community.splunk.com/t5/Getting-Data-In/Need-to-Disable-A-Process-Name-with-Event-ID/m-p/517493#M87571 <P>Thanks.</P><P>But it would be really helpful if you can provide a inputs config file so that i can check on the same.</P> Wed, 02 Sep 2020 14:29:10 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-Disable-A-Process-Name-with-Event-ID/m-p/517493#M87571 anandhalagaras1 2020-09-02T14:29:10Z https://community.splunk.com/t5/Getting-Data-In/Need-to-Disable-A-Process-Name-with-Event-ID/m-p/517747#M87587 <P>Hi All,</P><P>I have tried to disable EventCode=4688 with New Process Name filtration but the logs are still getting ingested into Splunk.</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/1406">@woodcock</a>&nbsp;Hence kindly help on my request.</P><P>Here are my inputs.conf</P><P>blacklist = EventCode="4688" Message="(?:New Process Name:).+(?:Windows\\System32\\conhost.exe)"<BR />blacklist0 = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk-winhostinfo.exe)"<BR />blacklist1 = EventCode="4688" Message="(?:New Process Name:).+(?:Symantec\\Symantec Endpoint Protection Manager\\bin\\USNWash.exe)"<BR />blacklist2 = EventCode="4688" Message="(?:New Process Name:).+(?:Symantec\\Symantec Endpoint Protection Manager\\bin\\XDelta64\\xdelta3.exe)"<BR />blacklist3 = EventCode="4688" Message="(?:New Process Name:).+(?:Symantec\\Symantec Endpoint Protection Manager\\tomcat\\bin\\sempub.exe)"</P><P>&nbsp;</P><P>So kindly help to correct me where is the gap. So that i can update the same for the rest of the "New Process Name".</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 03 Sep 2020 15:33:20 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-Disable-A-Process-Name-with-Event-ID/m-p/517747#M87587 anandhalagaras1 2020-09-03T15:33:20Z https://community.splunk.com/t5/Getting-Data-In/Need-to-Disable-A-Process-Name-with-Event-ID/m-p/517753#M87588 <P>Can anyone help on my request please.</P> Thu, 03 Sep 2020 16:15:30 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-Disable-A-Process-Name-with-Event-ID/m-p/517753#M87588 anandhalagaras1 2020-09-03T16:15:30Z