Getting Data In
Highlighted

How do I edit my wineventlog configuration to blacklist a specific SourceName?

Communicator

Hello, everyone.

I am having trouble finding a solution to blacklisting a SourceName called "SCLIntra Mobile Sync Service" on my forwarders. Anyone?

inputs.conf

[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
blacklist = SourceName="SCLIntra Mobile Sync Service"

Thanks,
James

0 Karma
Highlighted

Re: How do I edit my wineventlog configuration to blacklist a specific SourceName?

Motivator

Rmsit,

Try this;

blacklist = SourceName=\"SCLIntra\sMobile\sSync\sService\"
0 Karma
Highlighted

Re: How do I edit my wineventlog configuration to blacklist a specific SourceName?

Communicator

This works! Thanks!

0 Karma
Highlighted

Re: How do I edit my wineventlog configuration to blacklist a specific SourceName?

Motivator

I'm glad it worked out. Remember its key=regex when you black/whitelist.

0 Karma
Highlighted

Re: How do I edit my wineventlog configuration to blacklist a specific SourceName?

Communicator

Spoke too soon...still not working.

0 Karma
Highlighted

Re: How do I edit my wineventlog configuration to blacklist a specific SourceName?

Motivator

This is working on my events with Splunk 6.3.x, was't working till I've found a "." at the end of the string.

blacklist = SourceName="SCLIntra Mobile Sync Service\."
0 Karma
Highlighted

Re: How do I edit my wineventlog configuration to blacklist a specific SourceName?

Communicator

Thank you. I will try it.

0 Karma
Highlighted

Re: How do I edit my wineventlog configuration to blacklist a specific SourceName?

Communicator

I am still seeing this SoureName from my forwarder. Is it possible the UF cannot filter it? The UF is version 6.3.1.

0 Karma
Highlighted

Re: How do I edit my wineventlog configuration to blacklist a specific SourceName?

Motivator

Universal Forwarders can filter wineventlogs since Splunk 6+.

Can you paste an event sample ? Are u black/whitelisting any other thing ?

0 Karma
Highlighted

Re: How do I edit my wineventlog configuration to blacklist a specific SourceName?

Communicator

It is normal Windows event log data. Nothing else is blacklisted/whitelisted for the Application log.

1/14/16
9:56:32.000 AM

01/14/2016 09:56:32 AM
LogName=Application
SourceName=SCLIntra Mobile Sync Service
EventCode=100
EventType=2
Severity = Error

SourceName = SCLIntra Mobile Sync Service

host = v1651ancay014

index = wineventlog

linecount = 55

source = WinEventLog:Application

sourcetype = WinEventLog:Application

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.