Solved: Re: How to drop single host's single event

BoldKnowsNothin · ‎09-22-2023

Hello comrades,

We are using universal forwarder on hosts. And we have a noisy dude that products EventID:4674, and exceeds our license limit. Can we shut this dude's mouth on agent side but only on eventID:4674? Sorry newbie here.

Many thanks,

VatsalJagani · ‎09-23-2023

@BoldKnowsNothin - Yes, it can be done with inputs.conf on the UF under the App's local folder. (Most likely Windows Add-on will have this input.)

[Your input stanza that is collecting the data]
blacklist5 = 4674

blacklist5, the number 5 could be different depending on what you are deploying.

I hope this helps!! And welcome to the Splunk community!!!

View solution in original post

VatsalJagani · ‎09-23-2023

@BoldKnowsNothin - Yes, it can be done with inputs.conf on the UF under the App's local folder. (Most likely Windows Add-on will have this input.)

[Your input stanza that is collecting the data]
blacklist5 = 4674

blacklist5, the number 5 could be different depending on what you are deploying.

I hope this helps!! And welcome to the Splunk community!!!

How to drop single host's single event

configuration

using Splunk Enterprise

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation