Hello comrades,
We are using universal forwarder on hosts. And we have a noisy dude that products EventID:4674, and exceeds our license limit. Can we shut this dude's mouth on agent side but only on eventID:4674? Sorry newbie here.
Many thanks,
@BoldKnowsNothin - Yes, it can be done with inputs.conf on the UF under the App's local folder. (Most likely Windows Add-on will have this input.)
[Your input stanza that is collecting the data]
blacklist5 = 4674
blacklist5, the number 5 could be different depending on what you are deploying.
I hope this helps!! And welcome to the Splunk community!!!
@BoldKnowsNothin - Yes, it can be done with inputs.conf on the UF under the App's local folder. (Most likely Windows Add-on will have this input.)
[Your input stanza that is collecting the data]
blacklist5 = 4674
blacklist5, the number 5 could be different depending on what you are deploying.
I hope this helps!! And welcome to the Splunk community!!!