Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I edit my wineventlog configuration to blac...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I edit my wineventlog configuration to blacklist a specific SourceName?
Hello, everyone.
I am having trouble finding a solution to blacklisting a SourceName called "SCLIntra Mobile Sync Service" on my forwarders. Anyone?
inputs.conf
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
blacklist = SourceName="SCLIntra Mobile Sync Service"
Thanks,
James
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rmsit,
Try this;
blacklist = SourceName=\"SCLIntra\sMobile\sSync\sService\"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is normal Windows event log data. Nothing else is blacklisted/whitelisted for the Application log.
1/14/16
9:56:32.000 AM
01/14/2016 09:56:32 AM
LogName=Application
SourceName=SCLIntra Mobile Sync Service
EventCode=100
EventType=2
Severity = Error
SourceName = SCLIntra Mobile Sync Service
host = v1651ancay014
index = wineventlog
linecount = 55
source = WinEventLog:Application
sourcetype = WinEventLog:Application
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its weird, try this, tested on Application logs this time.
blacklist = SourceName=%^SLCIntra\sMobile\ssSync\ssService$%
EDIT: Had a typo on SLCIntra.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Spoke too soon...still not working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is working on my events with Splunk 6.3.x, was't working till I've found a "." at the end of the string.
blacklist = SourceName="SCLIntra Mobile Sync Service\."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I will try it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am still seeing this SoureName from my forwarder. Is it possible the UF cannot filter it? The UF is version 6.3.1.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Universal Forwarders can filter wineventlogs since Splunk 6+.
Can you paste an event sample ? Are u black/whitelisting any other thing ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works! Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm glad it worked out. Remember its key=regex when you black/whitelist.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
