How to blacklist the logs to stop ingesting into s...

AL3Z · ‎09-28-2023

Hi,

I had blacklisted C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe in inputs.conf of Deploymentserver.

blacklist3 = EvenCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk.exe)
Still I can see the logs ingestion into splunk, How we can stop this ingestion.

gcusello · ‎09-29-2023

Hi @AL3Z,

I suppose that you modified the inputs.conf in the Add-On (located in $SPLUNK_HOME/etc/deployment-apps) that is deployed using the Deployment Server, is it correct?

To be more sure, check if the regex you used is correct in the search dashboard.

Ciao.

Giuseppe

AL3Z · ‎09-29-2023

Hi, @gcusello ,

yes I've modified the inputs.conf in the Add-On (located in $SPLUNK_HOME/etc/deployment-apps) that is deployed using the Deployment Server.

When I try this in search head it is not giving any results , Do we need to modify spl ?
index=winsec host=xxx
| regex "(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk.exe)"

Thanks

gcusello · ‎09-29-2023

Hi @AL3Z,

if you don't have results to the control search and you have all the other logs, you solved your issue.

Ciao.

Giuseppe

How to blacklist the logs to stop ingesting into splunk.

blacklist

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

Join the Conversation