I'm trying to use blacklist on the Universal Forwarder to prevent unwanted events from being sent and indexed. Splunk instance and UF are both version 6.1.3
On the machine with UF, I went to
The inputs.conf file looks like this:
[default] host = Win7HP8440p [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
So I added a stanza as shown in many models and now it looks like this:
[default] host = Win7HP8440p [WinEventLog://System] disabled = false blacklist1 = 7036 [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
I rebooted the host with the UF and then checked on the Splunk instance and Event code 7036 keeps coming through.
I have tried many variations to match the examples I have seen ( like disabled = 0 or removing spaces around = signs etc.) but so far nothing seems to work.
Any reason to add 1 to blacklist? It could be simply "blacklist = 7036"
I've tried with and without the 1. I saw it as "blacklist1" in some examples.