https://community.splunk.com/t5/Getting-Data-In/Unable-to-whitelist-only-Error-EventID-s-sent-from-UF-to-Indexer/m-p/518377#M87647 <P>Hi Team,<BR /><BR /></P><DIV>From Windows Event Viewer logs we can onboard all Event ID's generated for "Application" and "System" Event logs but unable to onboard filtered events based on Event Code OR Type(Error/Warning).</DIV><DIV>&nbsp;</DIV><DIV>Below is inputs.conf written by me to filter-out the events which is not working.Also followed the below splunk docs.</DIV><DIV>&nbsp;</DIV><DIV>[WinEventLog ://Application]<DIV>disabled = 0</DIV><DIV>whitelist = Type="^[Error|Critical]"</DIV><DIV>index = test</DIV></DIV><DIV>&nbsp;</DIV><DIV>OR</DIV><DIV>&nbsp;</DIV><DIV><SPAN>[WinEventLog://Application]</SPAN><DIV>disabled = 0</DIV><DIV>whitelist = EventCode="1001|11707"</DIV><DIV>index = test</DIV></DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><DIV><SPAN>[WinEventLog://System]</SPAN><BR /><SPAN>disabled = 0</SPAN><BR /><SPAN>whitelist 1 = Event Code=7011</SPAN><BR /><SPAN>whitelist 2 = Type="^[Error|Critical]"</SPAN><BR /><SPAN>index = test</SPAN><BR /><DIV>&nbsp;</DIV><DIV><A href="https://community.splunk.com/t5/Getting-Data-In/Monitor-Windows-Event-Log-for-Critical-Error/td-p/502991" target="_blank" rel="noopener noreferrer">https://community.splunk.com/t5/Getting-Data-In/Monitor-Windows-Event-Log-for-Critical-Error/td-p/502991</A></DIV><DIV><A href="https://docs.splunk.com/Documentation/SplunkCloud/8.0.2006/Data/MonitorWindowseventlogdata" target="_blank" rel="noopener noreferrer">https://docs.splunk.com/Documentation/SplunkCloud/8.0.2006/Data/MonitorWindowseventlogdata</A></DIV></DIV><DIV><SPAN>&nbsp;</SPAN></DIV><DIV>Please check with your seniors on How can we whitelist only Error events in Application or System Event logs. Please find the attachement</DIV><DIV>&nbsp;</DIV><DIV><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sneha_nv_0-1599544724108.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10701iB52D160997B1D2F1/image-size/medium?v=v2&amp;px=400" role="button" title="sneha_nv_0-1599544724108.png" alt="sneha_nv_0-1599544724108.png" /></span><P>&nbsp;</P></DIV><DIV>&nbsp;</DIV> Tue, 08 Sep 2020 07:33:12 GMT sneha_nv 2020-09-08T07:33:12Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-whitelist-only-Error-EventID-s-sent-from-UF-to-Indexer/m-p/518377#M87647 <P>Hi Team,<BR /><BR /></P><DIV>From Windows Event Viewer logs we can onboard all Event ID's generated for "Application" and "System" Event logs but unable to onboard filtered events based on Event Code OR Type(Error/Warning).</DIV><DIV>&nbsp;</DIV><DIV>Below is inputs.conf written by me to filter-out the events which is not working.Also followed the below splunk docs.</DIV><DIV>&nbsp;</DIV><DIV>[WinEventLog ://Application]<DIV>disabled = 0</DIV><DIV>whitelist = Type="^[Error|Critical]"</DIV><DIV>index = test</DIV></DIV><DIV>&nbsp;</DIV><DIV>OR</DIV><DIV>&nbsp;</DIV><DIV><SPAN>[WinEventLog://Application]</SPAN><DIV>disabled = 0</DIV><DIV>whitelist = EventCode="1001|11707"</DIV><DIV>index = test</DIV></DIV><DIV>&nbsp;</DIV><DIV>&nbsp;</DIV><DIV><SPAN>[WinEventLog://System]</SPAN><BR /><SPAN>disabled = 0</SPAN><BR /><SPAN>whitelist 1 = Event Code=7011</SPAN><BR /><SPAN>whitelist 2 = Type="^[Error|Critical]"</SPAN><BR /><SPAN>index = test</SPAN><BR /><DIV>&nbsp;</DIV><DIV><A href="https://community.splunk.com/t5/Getting-Data-In/Monitor-Windows-Event-Log-for-Critical-Error/td-p/502991" target="_blank" rel="noopener noreferrer">https://community.splunk.com/t5/Getting-Data-In/Monitor-Windows-Event-Log-for-Critical-Error/td-p/502991</A></DIV><DIV><A href="https://docs.splunk.com/Documentation/SplunkCloud/8.0.2006/Data/MonitorWindowseventlogdata" target="_blank" rel="noopener noreferrer">https://docs.splunk.com/Documentation/SplunkCloud/8.0.2006/Data/MonitorWindowseventlogdata</A></DIV></DIV><DIV><SPAN>&nbsp;</SPAN></DIV><DIV>Please check with your seniors on How can we whitelist only Error events in Application or System Event logs. Please find the attachement</DIV><DIV>&nbsp;</DIV><DIV><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sneha_nv_0-1599544724108.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10701iB52D160997B1D2F1/image-size/medium?v=v2&amp;px=400" role="button" title="sneha_nv_0-1599544724108.png" alt="sneha_nv_0-1599544724108.png" /></span><P>&nbsp;</P></DIV><DIV>&nbsp;</DIV> Tue, 08 Sep 2020 07:33:12 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-whitelist-only-Error-EventID-s-sent-from-UF-to-Indexer/m-p/518377#M87647 sneha_nv 2020-09-08T07:33:12Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-whitelist-only-Error-EventID-s-sent-from-UF-to-Indexer/m-p/518417#M87649 <P>try below:</P><LI-CODE lang="markup">[WinEventLog://Application] disabled = 0 whitelist = EventCode="^(1001|11707)$" index = test</LI-CODE><LI-CODE lang="markup">[WinEventLog://System] disabled = 0 whitelist1 = EventCode="7011" #no space between whitelist and number whitelist2 = Type="^(Error|Critical)$" index = test</LI-CODE> Tue, 08 Sep 2020 11:11:31 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-whitelist-only-Error-EventID-s-sent-from-UF-to-Indexer/m-p/518417#M87649 thambisetty 2020-09-08T11:11:31Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-whitelist-only-Error-EventID-s-sent-from-UF-to-Indexer/m-p/518418#M87650 <P>Also If I don't know the error Eventcode and only based on Type(Error/Warning) want to collect the "Application" and "Sysytem" logs<BR /><BR />What will be my inputs.conf in this scenario while on-boarding data from UF to Indexer</P> Tue, 08 Sep 2020 11:17:50 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-whitelist-only-Error-EventID-s-sent-from-UF-to-Indexer/m-p/518418#M87650 sneha_nv 2020-09-08T11:17:50Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-whitelist-only-Error-EventID-s-sent-from-UF-to-Indexer/m-p/519344#M87825 <P>it worked for me&nbsp;</P><P><SPAN>[WinEventLog://System]<BR /></SPAN><SPAN>disabled = 0<BR /></SPAN><SPAN>whitelist1 = Type="^[Error]"<BR /></SPAN><SPAN>whitelist2 = Type="^[Critical]"<BR /></SPAN><SPAN>whitelist3 = Type="^[Warning]"<BR /></SPAN><SPAN>index = test</SPAN></P><DIV>&nbsp;</DIV><DIV><SPAN>[WinEventLog://Application]</SPAN></DIV><DIV><SPAN>disabled = 0</SPAN></DIV><DIV><SPAN>whitelist1 = Type="^[Error]"</SPAN></DIV><DIV><SPAN>whitelist2 = Type="^[Critical]"</SPAN></DIV><DIV><SPAN>whitelist3 = Type="^[Warning]"</SPAN></DIV><P><SPAN>index = test</SPAN></P> Mon, 14 Sep 2020 06:47:18 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-whitelist-only-Error-EventID-s-sent-from-UF-to-Indexer/m-p/519344#M87825 sneha_nv 2020-09-14T06:47:18Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-whitelist-only-Error-EventID-s-sent-from-UF-to-Indexer/m-p/519348#M87826 <P>I suggest you to replace [] with (), characters between [] will match individually for example</P><P>[Error] - matches E or r or r or o or r anywhere in the event.</P><P>(Error) -matches only Error</P> Mon, 14 Sep 2020 07:17:28 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-whitelist-only-Error-EventID-s-sent-from-UF-to-Indexer/m-p/519348#M87826 thambisetty 2020-09-14T07:17:28Z