I have added blackliste3 as per below in "Splunk_TA_Windows" on one Universal Forwarder it worked.
Now want to update on all Universal Forwarder then do i need to manually edit this app on all servers?
I tried, editing "Splunk_TA_Windows" on the deployment server where this app installed-restarted splunk, restarted UF too but no luck, any idea?
blacklist3 = EventCode="(4634|4672)" Message="(?m)Account\sName:[^\n]+\$$"
You're right in that the change should be made on the Deployment Server. Modify the inputs.conf file in the deployment-apps/Splunk_TA_Windows/local directory and it should be picked up by each UF the next time they phone home.
You're right in that the change should be made on the Deployment Server. Modify the inputs.conf file in the deployment-apps/Splunk_TA_Windows/local directory and it should be picked up by each UF the next time they phone home.