Getting Data In

How do I exclude WinEventsLog:Application files from being forwarded?

mawomommoh
Path Finder

Whenever I check the files that have been forwarded to my Splunk index, I see a bunch of files having their source = WinEventsLog:Application. I did not explicitly put a monitor stanza for such files and I wonder why my forwarder is always sending them to my Splunk instance. When I look at the individual events of the source, they are of the form:

  • LogName=Application
    SourceName=Microsoft-Windows-CertificateServicesClient-CertEnroll
    ...

  • LogName=Application
    SourceName=Symantec Antivirus
    ...

  • LogName=Application
    SourceName=NVWMI
    ...

... indicates that there are more field-value pairs in the events.

How do I exclude or prevent my forwarder from sending files from the WinEventsLog:Application source? It is clogging my index with data I don't need. Any help would be appreciated. Thanks!

0 Karma
1 Solution

HiroshiSatoh
Champion

mawomommoh
Path Finder

Thanks for the info!

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...