Solved: How do I exclude WinEventsLog:Application files fr...

mawomommoh · ‎07-08-2018

Whenever I check the files that have been forwarded to my Splunk index, I see a bunch of files having their source = WinEventsLog:Application. I did not explicitly put a monitor stanza for such files and I wonder why my forwarder is always sending them to my Splunk instance. When I look at the individual events of the source, they are of the form:

LogName=Application SourceName=Microsoft-Windows-CertificateServicesClient-CertEnroll ...
LogName=Application SourceName=Symantec Antivirus ...
LogName=Application SourceName=NVWMI ...

... indicates that there are more field-value pairs in the events.

How do I exclude or prevent my forwarder from sending files from the WinEventsLog:Application source? It is clogging my index with data I don't need. Any help would be appreciated. Thanks!

HiroshiSatoh · ‎07-08-2018

Please look at this answer.

https://answers.splunk.com/answers/122268/disable-forwarding-of-windows-event-logs.html

View solution in original post

HiroshiSatoh · ‎07-08-2018

Please look at this answer.

https://answers.splunk.com/answers/122268/disable-forwarding-of-windows-event-logs.html

mawomommoh · ‎07-11-2018

Thanks for the info!

How do I exclude WinEventsLog:Application files from being forwarded?

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Join the Conversation

How do I exclude WinEventsLog:Application files from being forwarded?

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...