Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to blacklist specific occurrences of a particular eventcode?

jh007
New Member
‎08-01-2017 03:05 PM

I am attempting to blacklist a series of process creation events (eventcode 4688) because they are noise and will break my index cap. In short, I need to be able to keep 4688 events while filtering out the garbage. Here is what I have so far:

blacklist1 = EventCode="4688" Message="(.*splunk.*|.*WmiP.*|.*SearchFilterHost.*|.*taskhost.*|.*TrustedInstaller.*|.*dllhost.*).*.exe"

Any help would be greatly appreciated.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-02-2017 12:47 AM

Hi jh007,
you could filter these events on the indexer before indexing:
in props.conf

TRANSFORMS-set-AS=set_AS,set_nullqueue

in transforms.conf

# nullqueue #
[set_nullqueue]
REGEX=EventCode\=4688
DEST_KEY=queue
FORMAT=nullQueue
# AS #
[set_AS]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

Beware how it's written EventCode=4688: if there are spaces or brackets modify my regex.

Bye.
Giuseppe

0 Karma
Reply

jh007
New Member
‎08-02-2017 08:37 AM

Hello Giuseppe,

I think you may of misunderstood what I was asking. I need to keep 4688 events except for the few specific ones I listed in my post. My issue has been figuring out how to make the blacklist acknowledge which components I want it to filter. All my previous attempts to filter specific 4688 events have stopped ALL 4688 events from coming in rather than ones I don't want. In summary, I need to know if there is in fact a way to blacklist what I am trying to do just like Splunk's documentation has suggested.

Thank you
James

0 Karma
Reply

jh007
New Member
‎08-15-2017 02:51 PM

Hello Giuseppe,

So I got the blacklist working for one event through the inputs.conf file. (see below)

blacklist1 = EventCode="4688" Message=".*[\S\s]*Account\sName:\s+[\S+]+[\$]"

Thank you for your help

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-02-2017 08:44 AM

Hi jh007,
if your need is to take all events with 4688 except the ones you listed, you have to modify my transforms.conf (props.conf is the same) as following

 # nullqueue #
 [set_nullqueue]
 REGEX=Message\=\"(.*splunk.*|.*WmiP.*|.*SearchFilterHost.*|.*taskhost.*|.*TrustedInstaller.*|.*dllhost.*).*.exe\"
 DEST_KEY=queue
 FORMAT=nullQueue
 # AS #
 [set_AS]
 REGEX=EventCode\=4688
 DEST_KEY = queue
 FORMAT = indexQueue

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...