Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple blacklist from different inputs

cboillot
Contributor
‎10-23-2019 09:20 AM

We are working on moving from Splunk Add-on for Microsoft Windows DNS to Splunk Add-on for Microsoft Windows. We currently have the blacklist for event codes 4662 and 566 setup in the Windows add-on as blacklist1 and blacklist 2, respectively. 

blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"

The question I have is, we have some servers that have a blacklist on event codes 4634 and 4907 (activedirectory/local/inputs.conf)

blacklist = 4634,4907

What would be best way to go about getting these two to work together? If I name it blacklist 9, will that still work, as there is not a 1-8 or a 3-8?

Or would it be better if I just made a copy of the Windows Add-on for those servers?

0 Karma
Reply

woodcock
Esteemed Legend
‎10-25-2019 04:54 PM

Yes, have 2 apps, with different names and have one with blacklist1 and blacklist2, the other with blacklist9 (or blacklist3; both should work). Deploy one, the other or both, and it will do what you expect/need.

0 Karma
Reply

ivanreis
Builder
‎10-23-2019 03:49 PM

you have an option to group the eventcode when there are having the same message pattern.

blacklist1 = EventCode="(566|4662)" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="(4634|4907)" Message="Account Name:(\W+\w+$)"

Here you have a document with more details about blacklist windows events
https://gist.github.com/automine/a3915d5238e2967c8d44b0ebcfb66147

you also have an option to use the add-on because all the configuration is already there, so you can also customise this add-on with those new blacklist

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...