Getting Data In

How to create more than 10 blacklists for the same input

cjaramilloc
Explorer

Hello

Anybodyw know how to create more than 10 blacklists for the same input in windows events monitoring?

According to documentation you can only use blacklist1 through blacklist9: http://docs.splunk.com/Documentation/Splunk/6.5.2/admin/Inputsconf#Windows_Event_Log_Monitor

I have a small license and every once in a while I notice some events I don’t need, and I add them to the blacklist:

[WinEventLog:Security]
disabled = 0
start_from = oldest
blacklist=5XX5,4XX8,4XX6
blacklist1=EventCode="4XX1" Message="\b. *0xO"
...
blacklist9=EventCode="5XX6" Message="Audit Sucess"

Now I'm trying to add a blacklist10 but I can’t. Do you guys know a workaround?, maybe using transforms.

Thank you

Christian

0 Karma
1 Solution

woodcock
Esteemed Legend

If you have more than one blacklist, you must number them all, starting at 1. In the blacklist, you can have ranges (separated by hyphens) or individuals (separated by commas) or both. So combine as much as you can on a single line to make room for other blacklists.

blacklist1 = 5156,5158,4656,4700-5600
blacklist2 = EventCode=%^4689$% Message=%SplunkUniversalForwarder%

Additionally, the "RegEx" used, is not normal RegEx; read the documentation here:

http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf#Windows_Event_Log_Monitor
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

View solution in original post

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@cjaramilloc - Did the answer provided by woodcock help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

koshyk
Super Champion

Do you have heavy forwarder before your indexer? (or even indexer is Ok, but it will be cpu intensive). YOu can do props/transforms at message level within Heavy Forwarder (or indexer) and put into nullqueue so it is NOT indexed

0 Karma

woodcock
Esteemed Legend

If you have more than one blacklist, you must number them all, starting at 1. In the blacklist, you can have ranges (separated by hyphens) or individuals (separated by commas) or both. So combine as much as you can on a single line to make room for other blacklists.

blacklist1 = 5156,5158,4656,4700-5600
blacklist2 = EventCode=%^4689$% Message=%SplunkUniversalForwarder%

Additionally, the "RegEx" used, is not normal RegEx; read the documentation here:

http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf#Windows_Event_Log_Monitor
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

0 Karma

cjaramilloc
Explorer

I've already did the combinations, but I still need room for more

0 Karma

woodcock
Esteemed Legend

So what did it finally look like?

0 Karma

somesoni2
Revered Legend

You should be able to use syntax like this for remaining blacklist/event filter (using props/transforms on Indexer/Heavy forwarder).
https://answers.splunk.com/answers/107605/filtering-events-out-via-props-conf-and-transforms-conf.ht...

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...