Solved: Re: How do I exclude WinEventsLog:Application file...

mawomommoh · ‎07-08-2018

Whenever I check the files that have been forwarded to my Splunk index, I see a bunch of files having their source = WinEventsLog:Application. I did not explicitly put a monitor stanza for such files and I wonder why my forwarder is always sending them to my Splunk instance. When I look at the individual events of the source, they are of the form:

LogName=Application SourceName=Microsoft-Windows-CertificateServicesClient-CertEnroll ...
LogName=Application SourceName=Symantec Antivirus ...
LogName=Application SourceName=NVWMI ...

... indicates that there are more field-value pairs in the events.

How do I exclude or prevent my forwarder from sending files from the WinEventsLog:Application source? It is clogging my index with data I don't need. Any help would be appreciated. Thanks!

HiroshiSatoh · ‎07-08-2018

Please look at this answer.

https://answers.splunk.com/answers/122268/disable-forwarding-of-windows-event-logs.html

View solution in original post

HiroshiSatoh · ‎07-08-2018

Please look at this answer.

https://answers.splunk.com/answers/122268/disable-forwarding-of-windows-event-logs.html

mawomommoh · ‎07-11-2018

Thanks for the info!

How do I exclude WinEventsLog:Application files from being forwarded?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation