https://community.splunk.com/t5/Splunk-Search/Blacklisting-Windows-EventCodes/m-p/671150#M230018 <P>I've tried both of those. I forgot to put EventCode= &nbsp;in a couple examples&nbsp;</P> Thu, 07 Dec 2023 12:16:55 GMT Bo3432 2023-12-07T12:16:55Z https://community.splunk.com/t5/Splunk-Search/Blacklisting-Windows-EventCodes/m-p/671099#M229996 <P>I am trying to remove window EventCodes 4688 and 4627. Nothing I have tried has worked. Her are the things that I have tried. This is on the inputs.conf.<BR /><BR /></P> <LI-CODE lang="markup">blacklist = EventCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\bin\splunk.exe)|.+(?:SplunkUniversalForwarder\bin\splunkd.exe)|.+(?:SplunkUniversalForwarder\bin\btool.exe)|.+(?:Splunk\bin\splunk.exe)|.+(?:Splunk\bin\splunkd.exe)|.+(?:Splunk\bin\btool.exe)|.+(?:Agent\MonitoringHost.exe)" blacklist1= EventCode="4688" blacklist2= EventCode="4627" blacklist= EventCode=4627,4688 blacklist = EventCode=4627|4688 blacklist= EventCode=%^(4627|4688)$% blacklist= EventCode=%^4627$% blacklist= EventCode=%^4688$%</LI-CODE> <P><BR /><BR /><BR /></P> <P><BR /><BR /><BR /><BR /></P> Thu, 07 Dec 2023 13:06:43 GMT https://community.splunk.com/t5/Splunk-Search/Blacklisting-Windows-EventCodes/m-p/671099#M229996 Bo3432 2023-12-07T13:06:43Z https://community.splunk.com/t5/Splunk-Search/Blacklisting-Windows-EventCodes/m-p/671105#M229998 <OL><LI><P><STRONG>Event Code Watchlist:</STRONG></P><UL><LI>Think of your computer as a detective, always keeping an eye on what's happening. EventCodes are like clues or signals.</LI></UL></LI><LI><P><STRONG>Blacklist = Unwanted Events:</STRONG></P><UL><LI>Blacklisting is saying, "I don't want these specific clues or signals." It's like telling the detective to ignore certain types of information.</LI></UL></LI><LI><P><STRONG>Filtering Out Unwanted Stuff:</STRONG></P><UL><LI>Imagine you're sorting through mail. Blacklisting is like throwing away letters from certain senders you don't want to hear from.</LI></UL></LI><LI><P><STRONG>Improving Focus:</STRONG></P><UL><LI>By blacklisting EventCodes, you're helping your computer focus on the events that matter and ignoring the ones that don't.</LI></UL></LI><LI><P><STRONG>Less Noise, More Clarity:</STRONG></P><UL><LI>It's like reducing background noise so you can hear the important stuff clearly. Blacklisting helps your computer concentrate on significant events.</LI></UL></LI></OL> Thu, 07 Dec 2023 05:54:51 GMT https://community.splunk.com/t5/Splunk-Search/Blacklisting-Windows-EventCodes/m-p/671105#M229998 soniya-01 2023-12-07T05:54:51Z https://community.splunk.com/t5/Splunk-Search/Blacklisting-Windows-EventCodes/m-p/671106#M229999 <P>I know the purpose of blacklist&nbsp;</P> Thu, 07 Dec 2023 05:56:55 GMT https://community.splunk.com/t5/Splunk-Search/Blacklisting-Windows-EventCodes/m-p/671106#M229999 Bo3432 2023-12-07T05:56:55Z https://community.splunk.com/t5/Splunk-Search/Blacklisting-Windows-EventCodes/m-p/671115#M230002 <P>You mix two different things. One is blacklisting by eventID</P><PRE>blacklist=4627,4688</PRE><P>or</P><PRE>blacklist3=4627,4688</PRE><P>(of course it can be blacklist1 all the way to blacklist9).</P><P>That should work for any event format.</P><P>The other format is filtering based on event's contents (which might also include the EventID field).</P><P>And the equivalent would be</P><PRE>blacklist=EventCode=%^(4627|3688)$%</PRE><P>You can of course specify a different delimiter for your regex so it might be for example</P><PRE>blacklist=EventCode=+^(4627|3688)$+</PRE> Thu, 07 Dec 2023 07:52:55 GMT https://community.splunk.com/t5/Splunk-Search/Blacklisting-Windows-EventCodes/m-p/671115#M230002 PickleRick 2023-12-07T07:52:55Z https://community.splunk.com/t5/Splunk-Search/Blacklisting-Windows-EventCodes/m-p/671150#M230018 <P>I've tried both of those. I forgot to put EventCode= &nbsp;in a couple examples&nbsp;</P> Thu, 07 Dec 2023 12:16:55 GMT https://community.splunk.com/t5/Splunk-Search/Blacklisting-Windows-EventCodes/m-p/671150#M230018 Bo3432 2023-12-07T12:16:55Z