Hi,

A quick update is that blacklist is working for my localhost events only. Sourcetype for localhost is coming as WinEventLog:Security.
inputs.conf:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = 4658

This works perfect and block all 4658 events.

However, I am collecting WMI event log security for other machines. Sourcetype in splunk is "WMI:WinEventLog://Security".
And these are not getting filtered.

P.S. I have splunk 7.2.3

Any ideas on how to make it work.

Rgds,

Just add to your inputs stanza for "WMI:WinEventLog://Security" your blacklist = 4658.

Hi Dkeck,

Finally it works. Yes I had to add WMI:WinEventLog://Security and i used the props and transforms as you mentioned above and it works 🙂

Many thanks.

Than please be so kind and accept my inital answer 🙂

Thanks.
Sorry for some silly question. I am using splunk on windows. Where is the transforms.conf and props.conf found?

Also, I read that some are using splunkforwarder. Is that necessary to be used? Or can we add these blacklist / nullqueue to splunk only.

Rgds.

you set the nullQueue on your indexer. You can create your own transforms and props in any app you like.

Just place it in $SPLUNK_HOME/splunk/etc/apps/<your app>/local. You would have to create your app and local directory OR you place it in $SPLUNK_HOME/splunk/etc/system/local.

Don´t forget to restart after the changes 😉

I have added props and tranforms.conf in $SPLUNK_HOME/splunk/etc/system/local.

Am having the following error on restarting splunk:

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
(skipping validation of index paths because not running as emtelorg\emteladmin)
Validated: _audit _internal _introspection _telemetry _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\Splunk\etc\system\local\props.conf, line 3: {{TRANSFORMS- (value: ).
Invalid key in stanza [] in C:\Program Files\Splunk\etc\system\local\transforms.conf, line 3: {{REGEX (value: "EventCode=(5156|4634|4672)").
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
Checking default conf files for edits...
Validating installed files against hashes from 'C:\Program Files\Splunk\splunk-7.2.3-06d57c595b80-windows-64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...

sry my anwers above had some formatting issues. Please copy the transforms and props code again I changed it.

don´t forget to change the "<name>" values to your own names.