Solved: How to drop events using inputs.conf?

leejones4 · ‎07-07-2022

We have a Syslog server collecting data from Meraki Wireless devices. There is a UF installed on the Syslog server sending data to Splunk. I have been trying to use Blacklist to filter out the ICMP protocol events which we don't need and I have been unable to drop them. The entry in my inputs.conf file for this are:

[monitor:///syslog0/syslog/meraki/*/*.log]
disabled=0
host_segment = 4

blacklist1 = protocol=icmp
blacklist2 = "(?192.\168.\30.\143.)"
blacklist3 = 10.\12.\239.\7
index = network
sourcetype = meraki

I have tried a number of variations and have been unable to get the "protocol=icmp" to drop. Is there something obvious that I am missing?

Thanks in advance for any suggestions.

PickleRick · ‎07-07-2022

Yes. You're missing one important thing. Blacklisting events on input works for windows event log input only. It doesn't even work for windows events pulled with WMI. And definitely does not work with file monitor input.

You have to filter your events in props/transforms on the first "heavy" component - HF or indexer - in event's path.

View solution in original post

PickleRick · ‎07-07-2022

Yes. You're missing one important thing. Blacklisting events on input works for windows event log input only. It doesn't even work for windows events pulled with WMI. And definitely does not work with file monitor input.

You have to filter your events in props/transforms on the first "heavy" component - HF or indexer - in event's path.

leejones4 · ‎07-07-2022

That was what I was wondering. Thank you for pointing it out, now I can move on and try the props.conf and the transforms.

How to drop events using inputs.conf?

inputs.conf

universal forwarder

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!