Getting Data In

How to configure inputs.conf to blacklist "Account Name" field for EventCode 4656?

Explorer

Splunk 6.2.6 inputs.conf blacklisting
Viewed numerous blogs and answers on similar topics, but can't come up the correct string for my need. Also looked at the inputs.conf spec.

Event 4656, the Account Name: field, I don't want to see computer names. In the "Account Name" field, all computers begin with a common word which I'll call "junk" for the purposes of this post and end with a "$".

blacklist = EventCode=4656 Message="Object Type:\s+(junk*$)"

I've tried a couple dozen other methods and iterations all with no success. Would appreciate any help as this item is crushing my license!

0 Karma

Explorer

Sorry for the 24 hour delay in posting this. Apparently my thanking two people for responding used the two daily posts I get. So here is the solution:

Thank you everyone for your thought, time and effort. Was my first post so I missed a few key things, but in the end this is the string that worked. I'm not sure why the solutions in the posted links above and from "maciep" didn't work. Here is what did:

blacklist1 = EventCode="4656" Message=".*[\S\s]*Account\sName:\s+[\S+]+[\$]"

Again, not sure why I had to get so specific and not be able to run the examples provided.

Thanks again everyone!

Explorer

This expression worked perfectly for what I needed. I was able to filter logon from users ending with "$". Thank you for your contribution.

0 Karma

Explorer

Thank you everyone for your thought, time and effort. Was my first post so I missed a few key things, but in the end this is the string that worked. I'm not sure why the solutions in the posted links above and from "maciep" didn't work. Here is what did:

blacklist1 = EventCode="4656" Message=".*[\S\s]*Account\sName:\s+[\S+]+[\$]"

Again, not sure why I had to get so specific and not be able to run the examples provided.

Thanks again everyone!

Champion

couple thoughts....first, is it possible there's another blacklist entry on the box for that event log that is winning over yours? Might be worth running btool just to be sure. No need to pull your hair out if nothing you change is going to matter anyway.

second, doesn't the Account info come before the Object Type in the message? Meaning, do you want something like this maybe?

blacklist = EventCode=4656 Message="Account Name:\s+(junk*$)"
0 Karma

Explorer

Thanks for the response. What you've posted as an example is what I would have figured would work. Fortunately my configuration is a smaller one and very easy to control since I'm the only admin. I did not have any competing blacklists. Excellent point I didn't think to consider. I did come across a working solution though which I'll post below. Thank you very much for you time and effort.

0 Karma

Revered Legend
0 Karma

Motivator

Hello! Please let's get a sample of your events.

Thanks

0 Karma

Explorer

Sorry for not posting a sample of event 4656. Should have been the first thing I did. I will know better for next time. Thank for the advise / response. Fortunately I now have my answer.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!