I am using Splunk Add-on for Microsoft Windows. In default\inputs.conf [WinEventLog://Security] there are lines blacklist1 and blacklist2 for two Windows eventcodes. I need to have these codes indexed without be adulterated. How do I override the blacklist line? Do I comment out the line in local\inputs.conf, add a whitelist line or something else?
I believe you want to set them to nothing in your local copy
[WinEventLog://Security]
# disabling the blacklists set in default
blacklist1 =
blacklist2 =
Thank you. I will try that and report if it works