Hi,
I am trying to blacklist Windows Event ID 4769 from a particular User ID. Is this possible to be implemented.
I already added the following Blacklist but it didnt seem to work.
blacklist = EventCode="4769" User="Account Name"
1. Where are you putting those settings to?
2. What format are you ingesting your eventlogs in?
I am making changes on opt splunk etc apps splunk_ta_win local inputs.conf. The Windows Event IDs are collected using Universal Forwarder. There is one another blacklist in the same configuration file which is working fine with out any issues.
OK.
How are you ingesting your events? key/value or XML?
Does the other (working) blacklist entry specify just the event code?
"Seem"? Either it worked or it didn't.
In which file did you add that line? On which Splunk instance? Did you restart Splunk after making the change?
Didnt work. Yes, I have restarted the services after making the changes.
