Getting Data In

How do I blacklist events with a field containing a specific value?

dbuehler
Loves-to-Learn Everything

I have a set of JSON data and I would like to ignore (blacklist) all events where the field "id.orig_h" contains the value "192.168.0.1".

So far, I've tried using the blacklisting procedure for Windows EventCodes as a model, but with no success. Example EventCode blacklist:

[WinEventLog:Security]
blacklist1 = EventCode = "4662" Message = "Account Name:\s+(example account)"

What I've tried:

1) Adding the blacklist underneath the monitor stanza in inputs.conf

[monitor:///opt/bro/logs/current]
index = yada
sourcetype = yadayada
blacklist = id.orig_h = "192.168.0.1"

2) Adding the blacklist under a separate sourcetype stanza in inputs.conf

[monitor:///opt/bro/logs/current]
index = yada
sourcetype = yadayada

[yadayada]
blacklist = id.orig_h = "192.168.0.1"

How can I achieve this?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The technique for blacklisting Windows event log data only works for Windows event log data. To ignore other events, use props and transforms to send selected events to the NULL queue. See https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_... and https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html .

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...