Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Why is one of my blacklists on inputs.conf not...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
So I am using Windows Universal forwarder (6.4.1) to forward data to indexers (6.5)
I have a filter setup in inputs.conf on UFs:
[WinEventLog://Security]
disabled = 0
index = test
sourcetype = windows
blacklist1 = EventCode="4662" Message=”Object Type:\s+(?!groupPolicyContainer)”
blacklist2 = EventCode="566" Message=”Object Type:\s+(?!groupPolicyContainer)”
blacklist3 = 560,567,7035,7036,592,593,595,4656,4663
blacklist4 = Message="Account Name:[\s]*(.*\$)"
blacklist5 = Message="Account Name:[\s]*HealthMailbox.*"
The problem is that I can see blacklists1-4 working, i.e not getting any events corresponding to those codes/regexes,
but blacklist5 doesn't work, i.e still seeing the events with Account Names containing "HealthMailbox" in it. I have spent enough
of my time beating my head around trying to think what could be the cause of this behavior but couldn't find a solution.
Is there something I am missing?
Thanks for the help.
Fatema.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @fatemabwudel
If you could post the type of events you are trying to filter that might help, but I think problem is in your current regex:
Your regex:
Message="Account Name:[\s]*HealthMailbox.*"
What it will filter is all the account names that start with HealthMailbox and are preceeded by n number of spaces:
Message="Account Name:<singlespace>HealthMailbox<Everything hereafter>"
Message="Account Name:<singlespace><singlespace>HealthMailbox<Everything hereafter>"
Message="Account Name:<singlespace><singlespace><singlespace>...and so on...HealthMailbox<Everything hereafter>"
What you probably wanted to filter was "Account Names containing "HealthMailbox":
Message="Account Name:<singlespace><someNonSpacestringhere>HealthMailbox<Everything hereafter>"
Try this if there is no space between < someNonSpaceString> and HealthMailbox:
Message=\"Account Name:[\s]+?[\S]+HealthMailbox.*\"
Example: Message="Account Name: thisIsSomeAccountHealthMailbox and here is all data afterwards"
If there are spaces between < someNonSpaceString> and HealthMailbox try:
Message=\"Account Name:[\s]+?[\S]+?\s+?HealthMailbox.*\"
Example: Message="Account Name: thisIsSomeAccount HealthMailbox and here is all data afterwards"
Else please respond with events and we will provide exact regex. Test them here https://regex101.com/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @fatemabwudel
If you could post the type of events you are trying to filter that might help, but I think problem is in your current regex:
Your regex:
Message="Account Name:[\s]*HealthMailbox.*"
What it will filter is all the account names that start with HealthMailbox and are preceeded by n number of spaces:
Message="Account Name:<singlespace>HealthMailbox<Everything hereafter>"
Message="Account Name:<singlespace><singlespace>HealthMailbox<Everything hereafter>"
Message="Account Name:<singlespace><singlespace><singlespace>...and so on...HealthMailbox<Everything hereafter>"
What you probably wanted to filter was "Account Names containing "HealthMailbox":
Message="Account Name:<singlespace><someNonSpacestringhere>HealthMailbox<Everything hereafter>"
Try this if there is no space between < someNonSpaceString> and HealthMailbox:
Message=\"Account Name:[\s]+?[\S]+HealthMailbox.*\"
Example: Message="Account Name: thisIsSomeAccountHealthMailbox and here is all data afterwards"
If there are spaces between < someNonSpaceString> and HealthMailbox try:
Message=\"Account Name:[\s]+?[\S]+?\s+?HealthMailbox.*\"
Example: Message="Account Name: thisIsSomeAccount HealthMailbox and here is all data afterwards"
Else please respond with events and we will provide exact regex. Test them here https://regex101.com/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the regex was the problem.
Changed the regex to this: blacklist5 = Message="Account Name:[\s](.*HealthMailbox.)"
The events looked like this:
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=comp1
TaskCategory=Logoff
OpCode=Info
RecordNumber=45263512
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: WIN\HealthMailbox453678
Account Name: HealthMailbox453678
Account Domain: WIN
Logon ID: 0x23S797B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Thank you for the response and help!
Fatema.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you are welcome @fatemabwudel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does Account Name appear twice in the Message of the events you're trying to block?
Since both of these are Message text regexes, have you tried removing #4 to test #5?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, it didn't work (removing #4 to test #5). Hence changed the regex and it fixed it.
Thanks for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rockondog.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You did try putting HealthMailbox. in parens right? (HealthMailbox.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah before it was in parens but thought that maybe that might be causing it not to parse, hence tried without parens and still didn't work 😞
( the astricks in the question got changed, here is the regex:
blacklist5 = Message="Account Name:[\s]HealthMailbox."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
arrr still the astricks got replaced while posting, let me try this:
blacklist5 = Message="Account Name:\sHealthMailbox.(astrick)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a friendly reminder: if you want to keep your code formatting, be sure to wrap your code in a code sample so that any special characters (like an asterisk) are rendered properly. Use the code sample icon in the toolbar to do this (it's to the right of the blockquote/quotations icon). Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for formatting it. Appreciate it.
will remember from next time.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
