Hello, everyone.
I am having trouble finding a solution to blacklisting a SourceName called "SCLIntra Mobile Sync Service" on my forwarders. Anyone?
inputs.conf
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
blacklist = SourceName="SCLIntra Mobile Sync Service"
Thanks,
James
Rmsit,
Try this;
blacklist = SourceName=\"SCLIntra\sMobile\sSync\sService\"
It is normal Windows event log data. Nothing else is blacklisted/whitelisted for the Application log.
1/14/16
9:56:32.000 AM
01/14/2016 09:56:32 AM
LogName=Application
SourceName=SCLIntra Mobile Sync Service
EventCode=100
EventType=2
Severity = Error
SourceName = SCLIntra Mobile Sync Service
host = v1651ancay014
index = wineventlog
linecount = 55
source = WinEventLog:Application
sourcetype = WinEventLog:Application
Its weird, try this, tested on Application logs this time.
blacklist = SourceName=%^SLCIntra\sMobile\ssSync\ssService$%
EDIT: Had a typo on SLCIntra.
Spoke too soon...still not working.
This is working on my events with Splunk 6.3.x, was't working till I've found a "." at the end of the string.
blacklist = SourceName="SCLIntra Mobile Sync Service\."
Thank you. I will try it.
I am still seeing this SoureName from my forwarder. Is it possible the UF cannot filter it? The UF is version 6.3.1.
Universal Forwarders can filter wineventlogs since Splunk 6+.
Can you paste an event sample ? Are u black/whitelisting any other thing ?
This works! Thanks!
I'm glad it worked out. Remember its key=regex when you black/whitelist.