How to blacklist the logs to stop ingesting into s...

AL3Z · ‎09-28-2023

Hi,

I had blacklisted C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe in inputs.conf of Deploymentserver.

blacklist3 = EvenCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk.exe)
Still I can see the logs ingestion into splunk, How we can stop this ingestion.

gcusello · ‎09-29-2023

Hi @AL3Z,

I suppose that you modified the inputs.conf in the Add-On (located in $SPLUNK_HOME/etc/deployment-apps) that is deployed using the Deployment Server, is it correct?

To be more sure, check if the regex you used is correct in the search dashboard.

Ciao.

Giuseppe

AL3Z · ‎09-29-2023

Hi, @gcusello ,

yes I've modified the inputs.conf in the Add-On (located in $SPLUNK_HOME/etc/deployment-apps) that is deployed using the Deployment Server.

When I try this in search head it is not giving any results , Do we need to modify spl ?
index=winsec host=xxx
| regex "(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk.exe)"

Thanks

gcusello · ‎09-29-2023

Hi @AL3Z,

if you don't have results to the control search and you have all the other logs, you solved your issue.

Ciao.

Giuseppe

How to blacklist the logs to stop ingesting into splunk.

blacklist

New Year, New Changes for Splunk Certifications

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Join the Conversation

How to blacklist the logs to stop ingesting into splunk.

blacklist

New Year, New Changes for Splunk Certifications

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events