Hello,
Hi @garrywilmeth,
if you're speaking of Wineventlog, you can blacklist some EventCode in the inputs.conf; for more infos see at https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Inputsconf
In few words, put in the winevenlog stanza
# Filtering at the input layer is desirable to reduce the total
# processing load in network transfer and computation on the Splunk platform
# nodes that acquire and processing Event Log data.
blacklist = <list of eventIDs> | key=regex [key=regex]
If instead it's another kind of data source, you have to filter your data on the Indexers or (if present) on Heavy Forwarders following the instructions at https://docs.splunk.com/Documentation/Splunk/8.2.6/Forwarding/Routeandfilterdatad#Filter_event_data_...
In few words, if you need to discard only some data (the ones with the string "C:\Program Files\Rapid7\Insight Agent\components\insight_agent\3.1.5.14\ir_agent.exe") you have to put in props.conf:
[source::/var/log/messages]
TRANSFORMS-null= setnull
and in transforms.conf
[setnull]
REGEX = C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\3.1.5.14\\ir_agent.exe
DEST_KEY = queue
FORMAT = nullQueue
and restart Splunk.
Ciao.
Giuseppe
Hello @gcusello,
Thank you for the reply. Yes, the events are from the Windows Event Security log. I don't want to filter all 4703 events coming from the windows event log, only those also containing IR_agent.exe. As far as the path for the agent, the filename IR_agent.exe is constant where the path contains the version number and changes when the agent is upgraded.
Can this be done at the inputs.conf level?
Thanks,
Garry
Hi @garrywilmeth,
yes, you can, as you can see in the inputs.conf documentation, you have:
blacklist = <list of eventIDs> | key=regex [key=regex]
you can blacklist an EventCode or a regex in inputs.conf.
Ciao.
Giuseppe
Something like this?
blacklist = EventCode=“4703” Message=“\\ir_agent.exe”
Hi @garrywilmeth,
check the regex in Splunk indexed data, if this regex match the events to discard you can apply it to blacklist.
Ciao.
Giuseppe