Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to whitelist only Error EventID's sent from UF to Indexer

sneha_nv
Engager
‎09-08-2020 12:33 AM

Hi Team,

From Windows Event Viewer logs we can onboard all Event ID's generated for "Application" and "System" Event logs but unable to onboard filtered events based on Event Code OR Type(Error/Warning).
 
Below is inputs.conf written by me to filter-out the events which is not working.Also followed the below splunk docs.
 
[WinEventLog ://Application]
disabled = 0
whitelist = Type="^[Error|Critical]"
index = test
 
OR
 
[WinEventLog://Application]
disabled = 0
whitelist = EventCode="1001|11707"
index = test
 
 
 
Please check with your seniors on How can we whitelist only Error events in Application or System Event logs. Please find the attachement
 
sneha_nv_0-1599544724108.png

 

 
Labels (1)
Labels
0 Karma
Reply

sneha_nv
Engager
‎09-13-2020 11:47 PM

it worked for me 

[WinEventLog://System]
disabled = 0
whitelist1 = Type="^[Error]"
whitelist2 = Type="^[Critical]"
whitelist3 = Type="^[Warning]"
index = test

 
[WinEventLog://Application]
disabled = 0
whitelist1 = Type="^[Error]"
whitelist2 = Type="^[Critical]"
whitelist3 = Type="^[Warning]"

index = test

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-14-2020 12:17 AM

I suggest you to replace [] with (), characters between [] will match individually for example

[Error] - matches E or r or r or o or r anywhere in the event.

(Error) -matches only Error

————————————
If this helps, give a like below.
0 Karma
Reply

sneha_nv
Engager
‎09-08-2020 04:17 AM

Also If I don't know the error Eventcode and only based on Type(Error/Warning) want to collect the "Application" and "Sysytem" logs

What will be my inputs.conf in this scenario while on-boarding data from UF to Indexer

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-08-2020 04:11 AM

try below:

[WinEventLog://Application]
disabled = 0
whitelist = EventCode="^(1001|11707)$"
index = test
[WinEventLog://System]
disabled = 0
whitelist1 = EventCode="7011" #no space between whitelist and number
whitelist2 = Type="^(Error|Critical)$"
index = test
————————————
If this helps, give a like below.
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...