Getting Data In

Multiple blacklist from different inputs

cboillot
Contributor

We are working on moving from Splunk Add-on for Microsoft Windows DNS to Splunk Add-on for Microsoft Windows. We currently have the blacklist for event codes 4662 and 566 setup in the Windows add-on as blacklist1 and blacklist 2, respectively.

blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"

The question I have is, we have some servers that have a blacklist on event codes 4634 and 4907 (activedirectory/local/inputs.conf)

blacklist = 4634,4907

What would be best way to go about getting these two to work together? If I name it blacklist 9, will that still work, as there is not a 1-8 or a 3-8?

Or would it be better if I just made a copy of the Windows Add-on for those servers?

0 Karma

woodcock
Esteemed Legend

Yes, have 2 apps, with different names and have one with blacklist1 and blacklist2, the other with blacklist9 (or blacklist3; both should work). Deploy one, the other or both, and it will do what you expect/need.

0 Karma

ivanreis
Builder

you have an option to group the eventcode when there are having the same message pattern.

blacklist1 = EventCode="(566|4662)" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="(4634|4907)" Message="Account Name:(\W+\w+$)"

Here you have a document with more details about blacklist windows events
https://gist.github.com/automine/a3915d5238e2967c8d44b0ebcfb66147

you also have an option to use the add-on because all the configuration is already there, so you can also customise this add-on with those new blacklist

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...