Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to blacklist specific occurrences of a particular eventcode?

jh007
New Member
‎08-01-2017 03:05 PM

I am attempting to blacklist a series of process creation events (eventcode 4688) because they are noise and will break my index cap. In short, I need to be able to keep 4688 events while filtering out the garbage. Here is what I have so far:

blacklist1 = EventCode="4688" Message="(.*splunk.*|.*WmiP.*|.*SearchFilterHost.*|.*taskhost.*|.*TrustedInstaller.*|.*dllhost.*).*.exe"

Any help would be greatly appreciated.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-02-2017 12:47 AM

Hi jh007,
you could filter these events on the indexer before indexing:
in props.conf

TRANSFORMS-set-AS=set_AS,set_nullqueue

in transforms.conf

# nullqueue #
[set_nullqueue]
REGEX=EventCode\=4688
DEST_KEY=queue
FORMAT=nullQueue
# AS #
[set_AS]
REGEX=.
DEST_KEY = queue
FORMAT = indexQueue

Beware how it's written EventCode=4688: if there are spaces or brackets modify my regex.

Bye.
Giuseppe

0 Karma
Reply

jh007
New Member
‎08-02-2017 08:37 AM

Hello Giuseppe,

I think you may of misunderstood what I was asking. I need to keep 4688 events except for the few specific ones I listed in my post. My issue has been figuring out how to make the blacklist acknowledge which components I want it to filter. All my previous attempts to filter specific 4688 events have stopped ALL 4688 events from coming in rather than ones I don't want. In summary, I need to know if there is in fact a way to blacklist what I am trying to do just like Splunk's documentation has suggested.

Thank you
James

0 Karma
Reply

jh007
New Member
‎08-15-2017 02:51 PM

Hello Giuseppe,

So I got the blacklist working for one event through the inputs.conf file. (see below)

blacklist1 = EventCode="4688" Message=".*[\S\s]*Account\sName:\s+[\S+]+[\$]"

Thank you for your help

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-02-2017 08:44 AM

Hi jh007,
if your need is to take all events with 4688 except the ones you listed, you have to modify my transforms.conf (props.conf is the same) as following

 # nullqueue #
 [set_nullqueue]
 REGEX=Message\=\"(.*splunk.*|.*WmiP.*|.*SearchFilterHost.*|.*taskhost.*|.*TrustedInstaller.*|.*dllhost.*).*.exe\"
 DEST_KEY=queue
 FORMAT=nullQueue
 # AS #
 [set_AS]
 REGEX=EventCode\=4688
 DEST_KEY = queue
 FORMAT = indexQueue

Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...