Hi, the inputs.conf file looks all right to me.

• Is it definitely not working?
• Did you install your UF in a new server? Is it the only instance of Splunk running there?
• Did you install the splunk_app_windows_infrastructure and Splunk_TA_windows apps? If so, why? In principle you don't need those apps to read event logs as this is natively supported by Splunk so I would move them outside the apps directory for now until your problem is solved.

maybe because of using Splunk free license?

Hi, i have removed the windows app for splunk and reinstalled again, still the same 😞

Hi,

I'm assuming this is your inputs.conf and your blacklist is still not working:

[WinEventLog://System]
disabled = 0
whitelist = 7036-7037

[WinEventLog://Security]
disabled = 0
blacklist = 4726

Could you try debugging your inputs file with btool? See this

 ./splunk cmd btool inputs list --debug

Hi, tnx for quick reply
all seems ok beside this : Invalid key in stanza [ui] in /opt/splunk/etc/apps/splunk_app_wi ndows_infrastructure/default/app.conf, line 14: attribution_link (value: app.a ttributions).

Hi, I thought you had removed the windows app from there:

• Stop splunk
• Delete (or move somewhere else) the whole "/opt/splunk/etc/apps/splunk_app_windows_infrastructure"
• Start splunk

Can you also post the output of your btool inputs command here?

I removed the win app and restarted splunk,
can u pls write here your email address in order to send you output file (its too big to paste here)?

Hi, people usually paste big outputs on pastebin or GitHub and then post the link in here. This way everybody will get access to it.

Hi
Here is the link :

https://www.dropbox.com/s/d4lnqctprw9xzrp/btool%20output.txt?dl=0

Hi, by looking at the Security Log section I think there's a conflict between the Splunk_ta_windows and your system local config. This is not the case for the System Log section. See below:

[WinEventLog://Security]
/opt/splunk/etc/system/default/inputs.conf                             _rcvbuf = 1572864
/opt/splunk/etc/system/local/inputs.conf                               blacklist = 4726
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf             blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
/opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf             blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"

If I were you I would comment out blacklist1 and 2 in /opt/splunk/etc/apps/Splunk_TA_windows/default/inputs.conf and see if that solves the problem. Keep in mind you shouldn't make changes on default files so once we find the problem make sure you roll this back.

Alternatively move the whole Splunk_ta_windows somewhere else temporarily (or permanently if you don't need it just yet).

Hi here is the relevant output

https://www.dropbox.com/s/l4hd34w768ipqol/new%20btool%20output.txt?dl=0

Hello , i performed the correction to the blacklist = 4726 , but still able to see the event in splunk
i removed the server class-system & security and now unable to see system & security events.
Is there no way to config input.conf to see events without server classes?
Tnx

Hi, take a look at the following line:

/opt/splunk/etc/system/local/inputs.conf                               blacklist = EventCode="4726" Message="Object Type:\s+(?!groupPolicyContainer)"

The syntax is wrong and it should be either:

blacklist = 4726

Or:

blacklist1 = EventCode="4726" Message="Object Type:\s+(?!groupPolicyContainer)"

Edit "/opt/splunk/etc/system/local/inputs.conf " and try the first one (easier). Restart splunk and let me know. As you can see debugging with btool is one of the most efficient ways to find out what's going on.

Thanks,
J

Here is the new btool output
Tnx
https://www.dropbox.com/s/l4hd34w768ipqol/new%20btool%20output.txt?dl=0

Hi, I don't think you included all the flags. The output does not contain any details. This is the syntax:

  ./splunk cmd btool inputs list --debug

Hello , i performed it but still no result

Hi, can you upload the new btool output for your inputs.conf file in order to see the effective changes?

OK, I tried but still able to see the event ID 4726 😞

I'm running out of ideas.

• When you said before 7036 is working fine in your System stanza, are there any System events outside the specified range (7036-7037) arriving at all?
• Have you tried removing the current_only attribute in your Security stanza?
• Maybe there's a conflict with other apps. Could you try debugging your inputs file with btool? See this ./splunk cmd btool inputs list --debug
• Can you try downloading and installing the latest version of Splunk (6.3.2)?

• The following stanza should work just fine so if I were you and none of the above works, I would raise a support call with Splunk and try to find out what's going on.

  [WinEventLog://System]
  disabled = 0
  whitelist = 7036-7037

  [WinEventLog://Security]
  disabled = 0
  blacklist = 4726

Tnx , for assistance. appreciate it. splunk version is 6.3.2 , i tried without current_only attribute in Security stanza

i see this message while restarting the splunk service :
Invalid key in stanza [ui] in /opt/splunk/etc/apps/splunk_app_windows_infrastructure/default/app.conf, line 14: attribution_link (value: app.attributions).