How to blacklist the logs to stop ingesting into s...

AL3Z · ‎09-28-2023

Hi,

I had blacklisted C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe in inputs.conf of Deploymentserver.

blacklist3 = EvenCode="4688" Message="(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk.exe)
Still I can see the logs ingestion into splunk, How we can stop this ingestion.

gcusello · ‎09-29-2023

Hi @AL3Z,

I suppose that you modified the inputs.conf in the Add-On (located in $SPLUNK_HOME/etc/deployment-apps) that is deployed using the Deployment Server, is it correct?

To be more sure, check if the regex you used is correct in the search dashboard.

Ciao.

Giuseppe

AL3Z · ‎09-29-2023

Hi, @gcusello ,

yes I've modified the inputs.conf in the Add-On (located in $SPLUNK_HOME/etc/deployment-apps) that is deployed using the Deployment Server.

When I try this in search head it is not giving any results , Do we need to modify spl ?
index=winsec host=xxx
| regex "(?:New Process Name:).+(?:SplunkUniversalForwarder\\bin\\splunk.exe)"

Thanks

gcusello · ‎09-29-2023

Hi @AL3Z,

if you don't have results to the control search and you have all the other logs, you solved your issue.

Ciao.

Giuseppe

How to blacklist the logs to stop ingesting into splunk.

blacklist

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?