Hello
Anybodyw know how to create more than 10 blacklists for the same input in windows events monitoring?
According to documentation you can only use blacklist1 through blacklist9: http://docs.splunk.com/Documentation/Splunk/6.5.2/admin/Inputsconf#Windows_Event_Log_Monitor
I have a small license and every once in a while I notice some events I don’t need, and I add them to the blacklist:
[WinEventLog:Security]
disabled = 0
start_from = oldest
blacklist=5XX5,4XX8,4XX6
blacklist1=EventCode="4XX1" Message="\b. *0xO"
...
blacklist9=EventCode="5XX6" Message="Audit Sucess"
Now I'm trying to add a blacklist10 but I can’t. Do you guys know a workaround?, maybe using transforms.
Thank you
Christian
If you have more than one blacklist, you must number them all, starting at 1. In the blacklist, you can have ranges (separated by hyphens) or individuals (separated by commas) or both. So combine as much as you can on a single line to make room for other blacklists.
blacklist1 = 5156,5158,4656,4700-5600
blacklist2 = EventCode=%^4689$% Message=%SplunkUniversalForwarder%
Additionally, the "RegEx" used, is not normal RegEx; read the documentation here:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf#Windows_Event_Log_Monitor
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/
@cjaramilloc - Did the answer provided by woodcock help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
Do you have heavy forwarder before your indexer? (or even indexer is Ok, but it will be cpu intensive). YOu can do props/transforms at message level within Heavy Forwarder (or indexer) and put into nullqueue so it is NOT indexed
If you have more than one blacklist, you must number them all, starting at 1. In the blacklist, you can have ranges (separated by hyphens) or individuals (separated by commas) or both. So combine as much as you can on a single line to make room for other blacklists.
blacklist1 = 5156,5158,4656,4700-5600
blacklist2 = EventCode=%^4689$% Message=%SplunkUniversalForwarder%
Additionally, the "RegEx" used, is not normal RegEx; read the documentation here:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf#Windows_Event_Log_Monitor
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/
I've already did the combinations, but I still need room for more
So what did it finally look like?
You should be able to use syntax like this for remaining blacklist/event filter (using props/transforms on Indexer/Heavy forwarder).
https://answers.splunk.com/answers/107605/filtering-events-out-via-props-conf-and-transforms-conf.ht...