I am having trouble finding a solution to blacklisting a SourceName called "SCLIntra Mobile Sync Service" on my forwarders. Anyone?
[WinEventLog://Application] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest blacklist = SourceName="SCLIntra Mobile Sync Service"
This is working on my events with Splunk 6.3.x, was't working till I've found a "." at the end of the string.
blacklist = SourceName="SCLIntra Mobile Sync Service\."
I am still seeing this SoureName from my forwarder. Is it possible the UF cannot filter it? The UF is version 6.3.1.
Universal Forwarders can filter wineventlogs since Splunk 6+.
Can you paste an event sample ? Are u black/whitelisting any other thing ?
It is normal Windows event log data. Nothing else is blacklisted/whitelisted for the Application log.
01/14/2016 09:56:32 AM
SourceName=SCLIntra Mobile Sync Service
Severity = Error
SourceName = SCLIntra Mobile Sync Service
host = v1651ancay014
index = wineventlog
linecount = 55
source = WinEventLog:Application
sourcetype = WinEventLog:Application