Hello Team,
I have been working to optimize the data going to Splunk and found EventCode 4662, Object Type= Computers are forwarding huge amount of data.
Upon further investigation I found that Subject user name having $ (Local Account) can be blacklist from sending to Splunk Cloud.
To do so I added below regex on the Splunk Application over Deployment Server,
The below regex completely works fine on Sample Data,
blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"
This would help me not to send the user name having $ in Subject User name which could save lot of space over splunk as more than 100s of servers are sending the data to the splunk and would increased eventually.
Thanks & Regards,
Pratik Pashte
Hi Giuseppe,
The above inputs.conf is not working as expected, actually do not want any other user name mostly with $ in the event which is actually consuming the Splunk Space.
So i have created that regex to blacklist the Subject Username with $ but it is not working I could still get users on Splunk for that particular event code.
blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"
This is my inputs.conf file,
Hi @PratikPashte,
check the regex using the regex command, remembering to escape special chars.
If you want an help, please share a message because I have an italian windows.
Ciao.
Giuseppe
Yes, i have escaped special character in the regex, do you suggest any more I need to tweak in the below regex.
blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)"
Hi @PratikPashte,
please share a sample of your logs.
Could you display your regex using the Code Sample button?
Ciao.
Giuseppe
Hi @PratikPashte,
good idea if is working for you, only one hint: check that in the filtered data there isn't any interesting data, because using a filter as the one you described you don't index those events and you lose them.
I sow that sometimes in Windows logs there are more different User_Names in the same event.
Anyway, good for you, only for completeness: what's your real question?
Ciao.
Giuseppe