All Apps and Add-ons

How do I override a blacklist entry in default inputs.conf?

scottrunyon
Contributor

I am using Splunk Add-on for Microsoft Windows. In default\inputs.conf [WinEventLog://Security] there are lines blacklist1 and blacklist2 for two Windows eventcodes. I need to have these codes indexed without be adulterated. How do I override the blacklist line? Do I comment out the line in local\inputs.conf, add a whitelist line or something else?

0 Karma

maciep
Champion

I believe you want to set them to nothing in your local copy

[WinEventLog://Security]
# disabling the blacklists set in default
blacklist1 =
blacklist2 =
0 Karma

scottrunyon
Contributor

Thank you. I will try that and report if it works

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...