Solved: Re: Parameter "blacklist" in inputs.conf

templier · ‎01-22-2014

Hello, friends!

We have:
Splunk server (indexer) and computer with WinXP and UniversalForwarder.
The task was to remove some windows security events from Splunk indexer.
It was solved by using the parameter "blacklist" in inputs.conf on computer with WinXP.

inputs.conf

[WinEventLog://Security] disabled = false blacklist = 538,540

And all that is needed work, the data came from the EventLog except the two specified ID (538 and 540).

The problem started when I decided to add a third ID (576).
I change the inputs.conf:

[WinEventLog://Security] disabled = false blacklist = 538,540,576

Save, restart splunk service.

And any event from the EventLog from this machine stopped coming to indexer.
If i change inputs.conf to original appearance (when two of Event) - all working again as necessary.

What can be caused by this problem?

Thx!

bshuler_splunk · ‎03-12-2014

The blacklist parameter is a regular expression:

http://regexone.com

This worked in my test:

blacklist = 538|540|576

Here is the documentation for the parameter:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

View solution in original post

bshuler_splunk · ‎03-12-2014

The blacklist parameter is a regular expression:

http://regexone.com

This worked in my test:

blacklist = 538|540|576

Here is the documentation for the parameter:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

templier · ‎03-31-2014

Thx. Сheck shortly.
The last time was not the time to do it

rakesh_498115 · ‎03-12-2014

have u tried blacklist =(576|538|540)

templier · ‎03-12-2014

Of course I checked a security log for the presence of this ID's. In security log entry is present, they are not present in splunk.

Pierceyuk · ‎03-12-2014

Have you checked the event log to see if there are events not with those ID's? just want to rule out the obvious etc...

templier · ‎01-22-2014

blacklist = 576,538,540 and blacklist = 576,538 - the same result 😞
As an option to make the whitelist with all EventID Except for these ID, but will try it later. I think this can not be caused by the free license.

somesoni2 · ‎01-22-2014

Just to be sure, can you try changing the order of event ids in blacklist?

templier · ‎01-22-2014

Yes, other data from this machine come correct. Disappears only EventLog.

laserval · ‎01-22-2014

Do you get other events from the forwarder? Can you see any errors or warnings from the forwarder when searching in index=_internal?

Parameter "blacklist" in inputs.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation