https://community.splunk.com/t5/Splunk-Search/Regex-match-on-quot-message-quot-portion-of-event/m-p/489200#M136663 <P>Hi @montydo,<BR /> let me understand: do you want to exclude from indexing all the events where there's the string "C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe" ?<BR /> if this is your need you should use something like this:</P> <PRE><CODE>[WinEventLog://Security] disabled = 0 start_from = newest blacklist1 = C:\\Program Files\\Veeam\\Backup and Replication\\Console\\veeam.backup\.shell\.exe index = wineventlog </CODE></PRE> <P>otherwise, you can filter these events on Indexers before indexing (see at <A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues">https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A> ) using the same regex.</P> <P>Ciao.<BR /> Giuseppe</P> Mon, 20 Jan 2020 12:07:43 GMT gcusello 2020-01-20T12:07:43Z https://community.splunk.com/t5/Splunk-Search/Regex-match-on-quot-message-quot-portion-of-event/m-p/489199#M136662 <P>From the splunk windows_TA guide</P> <PRE><CODE>"The following keys are equivalent to the fields which appear in the text of the acquired events: Category CategoryString ComputerName EventCode EventType Keywords LogName **Message** OpCode RecordNumber Sid SidType SourceName TaskCategory Type User" </CODE></PRE> <P>I'm trying to filter on the contents of the "Message" field:</P> <PRE><CODE>An operation was attempted on a privileged object. Subject: Security ID: ROOT\username Account Name: username Account Domain: DOMAINNAME Logon ID: 0x200ABCD1 Object: Object Server: Security Object Type: - Object Name: - Object Handle: 0x1234 Process Information: Process ID: 0x12A3 Process Name: **C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe** Requested Operation: Desired Access: 1234567 Privileges: SeTakeOwnershipPrivilege </CODE></PRE> <P>I'm looking to match on the "<STRONG>C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe</STRONG>" portion and discard the events through a blacklist stanza in the inputs.conf on the Universal Forwarder.</P> <P>Something like:</P> <PRE><CODE>blacklist3 = | key=regex [key=REGEXHERE?] </CODE></PRE> <P>Is this possible? and can anyone help with the regex?</P> Mon, 20 Jan 2020 11:04:53 GMT https://community.splunk.com/t5/Splunk-Search/Regex-match-on-quot-message-quot-portion-of-event/m-p/489199#M136662 montydo 2020-01-20T11:04:53Z https://community.splunk.com/t5/Splunk-Search/Regex-match-on-quot-message-quot-portion-of-event/m-p/489200#M136663 <P>Hi @montydo,<BR /> let me understand: do you want to exclude from indexing all the events where there's the string "C:\Program Files\Veeam\Backup and Replication\Console\veeam.backup.shell.exe" ?<BR /> if this is your need you should use something like this:</P> <PRE><CODE>[WinEventLog://Security] disabled = 0 start_from = newest blacklist1 = C:\\Program Files\\Veeam\\Backup and Replication\\Console\\veeam.backup\.shell\.exe index = wineventlog </CODE></PRE> <P>otherwise, you can filter these events on Indexers before indexing (see at <A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues">https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A> ) using the same regex.</P> <P>Ciao.<BR /> Giuseppe</P> Mon, 20 Jan 2020 12:07:43 GMT https://community.splunk.com/t5/Splunk-Search/Regex-match-on-quot-message-quot-portion-of-event/m-p/489200#M136663 gcusello 2020-01-20T12:07:43Z https://community.splunk.com/t5/Splunk-Search/Regex-match-on-quot-message-quot-portion-of-event/m-p/489201#M136664 <P>Try this for your blacklisting.<BR /> Make sure you escape your backslashes and your dots as they would be interpreted as wildcards.</P> <PRE><CODE>blacklist3 = Message="Process Name:\s+\*\*C:\\Program Files\\Veeam\\Backup and Replication\\Console\\veeam\.backup\.shell\.exe" </CODE></PRE> Mon, 20 Jan 2020 12:09:24 GMT https://community.splunk.com/t5/Splunk-Search/Regex-match-on-quot-message-quot-portion-of-event/m-p/489201#M136664 damann 2020-01-20T12:09:24Z