https://community.splunk.com/t5/Splunk-Search/Blacklisting-the-hypen-processname-using-REGEX/m-p/661071#M228241 <P>This would be done on a heavy forwarder or the indexer(s), whichever the events hit first. The below link has information for how to do this. You can do it with SEDCMD in a props.conf. The code below is an excerpt from that page that shows specifically how you would do this. In this case this&nbsp;<EM><STRONG>&lt;Data Name='IpPort'&gt;0&lt;/Data&gt;</STRONG></EM> is being turned into this&nbsp;<EM><STRONG>&lt;Data Name='IpPort'&gt;&lt;/Data&gt;</STRONG></EM>.</P><LI-CODE lang="markup">#For XmlWinEventLog:Security SEDCMD-cleanxmlsrcport = s/&lt;Data Name='IpPort'&gt;0&lt;\/Data&gt;/&lt;Data Name='IpPort'&gt;&lt;\/Data&gt;/</LI-CODE><P><A href="https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration" target="_blank">https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration</A></P> Tue, 17 Oct 2023 17:36:41 GMT fredclown 2023-10-17T17:36:41Z https://community.splunk.com/t5/Splunk-Search/Blacklisting-the-hypen-processname-using-REGEX/m-p/661047#M228232 <P>Hi, As I was wondering can we blacklist the processname like "-"&nbsp; in the inputs.conf of DS ?? to save the splunk license .</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AL3Z_0-1697558769612.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/27614iE6CDF0717D2D4720/image-size/medium?v=v2&amp;px=400" role="button" title="AL3Z_0-1697558769612.png" alt="AL3Z_0-1697558769612.png" /></span></P><P>&nbsp;</P><P>Sample Event:<BR /><BR /><BR />&lt;Event xmlns='<A href="http://schemas.microsoft.com/win/2004/08/events/event" target="_blank">http://schemas.microsoft.com/win/2004/08/events/event</A>'&gt;&lt;System&gt;&lt;Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/&gt;&lt;EventID&gt;4624&lt;/EventID&gt;&lt;Version&gt;3&lt;/Version&gt;&lt;Level&gt;0&lt;/Level&gt;&lt;Task&gt;12544&lt;/Task&gt;&lt;Opcode&gt;0&lt;/Opcode&gt;&lt;Keywords&gt;0x8020000000000000&lt;/Keywords&gt;&lt;TimeCreated SystemTime='2023-10-17T16:07:15.4402877Z'/&gt;&lt;EventRecordID&gt;455140&lt;/EventRecordID&gt;&lt;Correlation ActivityID='{b2071651-382e-4101-85e8-28f5e9b1b5d5}'/&gt;&lt;Execution ProcessID='1112' ThreadID='3816'/&gt;&lt;Channel&gt;Security&lt;/Channel&gt;&lt;Computer&gt;xyz.com&lt;/Computer&gt;&lt;Security/&gt;&lt;/System&gt;&lt;EventData&gt;&lt;Data Name='SubjectUserSid'&gt;NULL SID&lt;/Data&gt;&lt;Data Name='SubjectUserName'&gt;-&lt;/Data&gt;&lt;Data Name='SubjectDomainName'&gt;-&lt;/Data&gt;&lt;Data Name='SubjectLogonId'&gt;0x0&lt;/Data&gt;&lt;Data Name='TargetUserSid'&gt;NT AUTHORITY\SYSTEM&lt;/Data&gt;&lt;Data Name='TargetUserName'&gt;xxx$&lt;/Data&gt;&lt;Data Name='TargetDomainName'&gt;xyx.COM&lt;/Data&gt;&lt;Data Name='TargetLogonId'&gt;0xb126027&lt;/Data&gt;&lt;Data Name='LogonType'&gt;3&lt;/Data&gt;&lt;Data Name='LogonProcessName'&gt;Kerberos&lt;/Data&gt;&lt;Data Name='AuthenticationPackageName'&gt;Kerberos&lt;/Data&gt;&lt;Data Name='WorkstationName'&gt;-&lt;/Data&gt;&lt;Data Name='LogonGuid'&gt;{c425351a-8525-d2f0-f686-1a0aff9db449}&lt;/Data&gt;&lt;Data Name='TransmittedServices'&gt;-&lt;/Data&gt;&lt;Data Name='LmPackageName'&gt;-&lt;/Data&gt;&lt;Data Name='KeyLength'&gt;0&lt;/Data&gt;&lt;Data Name='ProcessId'&gt;0x0&lt;/Data&gt;&lt;Data Name='ProcessName'&gt;-&lt;/Data&gt;&lt;Data Name='IpAddress'&gt;127.0.0.1&lt;/Data&gt;&lt;Data Name='IpPort'&gt;0&lt;/Data&gt;&lt;Data Name='ImpersonationLevel'&gt;%%1833&lt;/Data&gt;&lt;Data Name='RestrictedAdminMode'&gt;-&lt;/Data&gt;&lt;Data Name='RemoteCredentialGuard'&gt;-&lt;/Data&gt;&lt;Data Name='TargetOutboundUserName'&gt;-&lt;/Data&gt;&lt;Data Name='TargetOutboundDomainName'&gt;-&lt;/Data&gt;&lt;Data Name='VirtualAccount'&gt;%%1843&lt;/Data&gt;&lt;Data Name='TargetLinkedLogonId'&gt;0x0&lt;/Data&gt;&lt;Data Name='ElevatedToken'&gt;%%1842&lt;/Data&gt;&lt;/EventData&gt;&lt;/Event&gt;</P><P>&nbsp;</P><P>Thanks</P> Tue, 17 Oct 2023 16:09:35 GMT https://community.splunk.com/t5/Splunk-Search/Blacklisting-the-hypen-processname-using-REGEX/m-p/661047#M228232 AL3Z 2023-10-17T16:09:35Z https://community.splunk.com/t5/Splunk-Search/Blacklisting-the-hypen-processname-using-REGEX/m-p/661071#M228241 <P>This would be done on a heavy forwarder or the indexer(s), whichever the events hit first. The below link has information for how to do this. You can do it with SEDCMD in a props.conf. The code below is an excerpt from that page that shows specifically how you would do this. In this case this&nbsp;<EM><STRONG>&lt;Data Name='IpPort'&gt;0&lt;/Data&gt;</STRONG></EM> is being turned into this&nbsp;<EM><STRONG>&lt;Data Name='IpPort'&gt;&lt;/Data&gt;</STRONG></EM>.</P><LI-CODE lang="markup">#For XmlWinEventLog:Security SEDCMD-cleanxmlsrcport = s/&lt;Data Name='IpPort'&gt;0&lt;\/Data&gt;/&lt;Data Name='IpPort'&gt;&lt;\/Data&gt;/</LI-CODE><P><A href="https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration" target="_blank">https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Configuration</A></P> Tue, 17 Oct 2023 17:36:41 GMT https://community.splunk.com/t5/Splunk-Search/Blacklisting-the-hypen-processname-using-REGEX/m-p/661071#M228241 fredclown 2023-10-17T17:36:41Z