Getting Data In

How do I edit my wineventlog configuration to blacklist a specific SourceName?

rmsit
Communicator

Hello, everyone.

I am having trouble finding a solution to blacklisting a SourceName called "SCLIntra Mobile Sync Service" on my forwarders. Anyone?

inputs.conf

[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
blacklist = SourceName="SCLIntra Mobile Sync Service"

Thanks,
James

0 Karma

alemarzu
Motivator

Rmsit,

Try this;

blacklist = SourceName=\"SCLIntra\sMobile\sSync\sService\"
0 Karma

rmsit
Communicator

It is normal Windows event log data. Nothing else is blacklisted/whitelisted for the Application log.

1/14/16
9:56:32.000 AM

01/14/2016 09:56:32 AM
LogName=Application
SourceName=SCLIntra Mobile Sync Service
EventCode=100
EventType=2
Severity = Error

SourceName = SCLIntra Mobile Sync Service

host = v1651ancay014

index = wineventlog

linecount = 55

source = WinEventLog:Application

sourcetype = WinEventLog:Application

0 Karma

alemarzu
Motivator

Its weird, try this, tested on Application logs this time.

blacklist = SourceName=%^SLCIntra\sMobile\ssSync\ssService$%

EDIT: Had a typo on SLCIntra.

0 Karma

rmsit
Communicator

Spoke too soon...still not working.

0 Karma

alemarzu
Motivator

This is working on my events with Splunk 6.3.x, was't working till I've found a "." at the end of the string.

blacklist = SourceName="SCLIntra Mobile Sync Service\."
0 Karma

rmsit
Communicator

Thank you. I will try it.

0 Karma

rmsit
Communicator

I am still seeing this SoureName from my forwarder. Is it possible the UF cannot filter it? The UF is version 6.3.1.

0 Karma

alemarzu
Motivator

Universal Forwarders can filter wineventlogs since Splunk 6+.

Can you paste an event sample ? Are u black/whitelisting any other thing ?

0 Karma

rmsit
Communicator

This works! Thanks!

0 Karma

alemarzu
Motivator

I'm glad it worked out. Remember its key=regex when you black/whitelist.

0 Karma