Getting Data In

How do I blacklist events with a field containing a specific value?

dbuehler
Loves-to-Learn Everything

I have a set of JSON data and I would like to ignore (blacklist) all events where the field "id.orig_h" contains the value "192.168.0.1".

So far, I've tried using the blacklisting procedure for Windows EventCodes as a model, but with no success. Example EventCode blacklist:

[WinEventLog:Security]
blacklist1 = EventCode = "4662" Message = "Account Name:\s+(example account)"

What I've tried:

1) Adding the blacklist underneath the monitor stanza in inputs.conf

[monitor:///opt/bro/logs/current]
index = yada
sourcetype = yadayada
blacklist = id.orig_h = "192.168.0.1"

2) Adding the blacklist under a separate sourcetype stanza in inputs.conf

[monitor:///opt/bro/logs/current]
index = yada
sourcetype = yadayada

[yadayada]
blacklist = id.orig_h = "192.168.0.1"

How can I achieve this?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The technique for blacklisting Windows event log data only works for Windows event log data. To ignore other events, use props and transforms to send selected events to the NULL queue. See https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_... and https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html .

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...