Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple blacklist from different inputs

cboillot
Contributor
‎10-23-2019 09:20 AM

We are working on moving from Splunk Add-on for Microsoft Windows DNS to Splunk Add-on for Microsoft Windows. We currently have the blacklist for event codes 4662 and 566 setup in the Windows add-on as blacklist1 and blacklist 2, respectively. 

blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"

The question I have is, we have some servers that have a blacklist on event codes 4634 and 4907 (activedirectory/local/inputs.conf)

blacklist = 4634,4907

What would be best way to go about getting these two to work together? If I name it blacklist 9, will that still work, as there is not a 1-8 or a 3-8?

Or would it be better if I just made a copy of the Windows Add-on for those servers?

0 Karma
Reply

woodcock
Esteemed Legend
‎10-25-2019 04:54 PM

Yes, have 2 apps, with different names and have one with blacklist1 and blacklist2, the other with blacklist9 (or blacklist3; both should work). Deploy one, the other or both, and it will do what you expect/need.

0 Karma
Reply

ivanreis
Builder
‎10-23-2019 03:49 PM

you have an option to group the eventcode when there are having the same message pattern.

blacklist1 = EventCode="(566|4662)" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="(4634|4907)" Message="Account Name:(\W+\w+$)"

Here you have a document with more details about blacklist windows events
https://gist.github.com/automine/a3915d5238e2967c8d44b0ebcfb66147

you also have an option to use the add-on because all the configuration is already there, so you can also customise this add-on with those new blacklist

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top