Solved: Re: How to drop single host's single event

BoldKnowsNothin · ‎09-22-2023

Hello comrades,

We are using universal forwarder on hosts. And we have a noisy dude that products EventID:4674, and exceeds our license limit. Can we shut this dude's mouth on agent side but only on eventID:4674? Sorry newbie here.

Many thanks,

VatsalJagani · ‎09-23-2023

@BoldKnowsNothin - Yes, it can be done with inputs.conf on the UF under the App's local folder. (Most likely Windows Add-on will have this input.)

[Your input stanza that is collecting the data]
blacklist5 = 4674

blacklist5, the number 5 could be different depending on what you are deploying.

I hope this helps!! And welcome to the Splunk community!!!

View solution in original post

VatsalJagani · ‎09-23-2023

@BoldKnowsNothin - Yes, it can be done with inputs.conf on the UF under the App's local folder. (Most likely Windows Add-on will have this input.)

[Your input stanza that is collecting the data]
blacklist5 = 4674

blacklist5, the number 5 could be different depending on what you are deploying.

I hope this helps!! And welcome to the Splunk community!!!

How to drop single host's single event

configuration

using Splunk Enterprise

Monitoring Postgres with OpenTelemetry

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor