Solved: Re: How to drop single host's single event

BoldKnowsNothin · ‎09-22-2023

Hello comrades,

We are using universal forwarder on hosts. And we have a noisy dude that products EventID:4674, and exceeds our license limit. Can we shut this dude's mouth on agent side but only on eventID:4674? Sorry newbie here.

Many thanks,

VatsalJagani · ‎09-23-2023

@BoldKnowsNothin - Yes, it can be done with inputs.conf on the UF under the App's local folder. (Most likely Windows Add-on will have this input.)

[Your input stanza that is collecting the data]
blacklist5 = 4674

blacklist5, the number 5 could be different depending on what you are deploying.

I hope this helps!! And welcome to the Splunk community!!!

View solution in original post

VatsalJagani · ‎09-23-2023

@BoldKnowsNothin - Yes, it can be done with inputs.conf on the UF under the App's local folder. (Most likely Windows Add-on will have this input.)

[Your input stanza that is collecting the data]
blacklist5 = 4674

blacklist5, the number 5 could be different depending on what you are deploying.

I hope this helps!! And welcome to the Splunk community!!!

How to drop single host's single event

configuration

using Splunk Enterprise

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation