Getting Data In
Highlighted

How to edit inputs.conf to blacklist an eventcode?

New Member

I have the following inputs.conf stanza:

[WinEventLog://Security]
    
disabled=0
    
current_only=1
    
blacklist1=EventCode=4662 Message=”Object Type:s+(?!groupPolicyContainer)”

Still we are receiving all the eventcode. Could you please help what else changes has to be made?

Note: We are making the changes in the deployment server for the blacklist

0 Karma
Highlighted

Re: How to edit inputs.conf to blacklist an eventcode?

SplunkTrust
SplunkTrust

what is the full path to file of the above inputs.conf?
are you leveraging the Splunk TA for Windows?

0 Karma
Highlighted

Re: How to edit inputs.conf to blacklist an eventcode?

SplunkTrust
SplunkTrust

Pulled from my working blacklist of that precise same EventCode and scenario:

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"

Not sure if the differences are copy/paste issues or if they're broken in your stanza, but the above has worked for me. Note the \s+.

View solution in original post

0 Karma