Getting Data In

Multiple blacklist from different inputs

cboillot
Contributor

We are working on moving from Splunk Add-on for Microsoft Windows DNS to Splunk Add-on for Microsoft Windows. We currently have the blacklist for event codes 4662 and 566 setup in the Windows add-on as blacklist1 and blacklist 2, respectively.

blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"

The question I have is, we have some servers that have a blacklist on event codes 4634 and 4907 (activedirectory/local/inputs.conf)

blacklist = 4634,4907

What would be best way to go about getting these two to work together? If I name it blacklist 9, will that still work, as there is not a 1-8 or a 3-8?

Or would it be better if I just made a copy of the Windows Add-on for those servers?

0 Karma

woodcock
Esteemed Legend

Yes, have 2 apps, with different names and have one with blacklist1 and blacklist2, the other with blacklist9 (or blacklist3; both should work). Deploy one, the other or both, and it will do what you expect/need.

0 Karma

ivanreis
Builder

you have an option to group the eventcode when there are having the same message pattern.

blacklist1 = EventCode="(566|4662)" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="(4634|4907)" Message="Account Name:(\W+\w+$)"

Here you have a document with more details about blacklist windows events
https://gist.github.com/automine/a3915d5238e2967c8d44b0ebcfb66147

you also have an option to use the add-on because all the configuration is already there, so you can also customise this add-on with those new blacklist

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...