Getting Data In

WinEventLog UF 6.2 renderXml Blacklist

New Member

I'm struggeling with setting up a blacklist for an WinEventLog inputs.conf with the renderXml = true.

This is the inputs.conf stanza I'm using:
disabled = false
renderXml = true

(refering to:

Now I want to blacklist every events caused by for example the splunkd.exe.

I've tried something like
blacklist = ParentImage="C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"

but this does not work.

Any help is really apreciated.


Tags (2)
0 Karma


were you ever able to accomplish blacklisting? I was just trying to accomplish the same thing. Since there is no message field when renderXml=true AND it appears that only specific keys (not including _raw) are supported with whitelisting|blacklisting, I am thinking a feature modification request is in order...

0 Karma


I know this is a late response to thread, but finally got this working for myself as well. Here is a sample input:

renderXml= True
#client-side extension processing started/completed
whitelist1 = EventCode=%^(4016|5016)$%
#gpo download from domain controller
whitelist2 = EventCode=%^(5126)$%
#manual processing of GPO started/completed for user
whitelist3 = EventCode=%^(4004|8004)$%
#manual processing of GPO started/completed for machine
whitelist4 = EventCode=%^(4005|8005)$%
0 Karma

Splunk Employee
Splunk Employee

Please see the splunk documentation: -- there is a list of keys under the section, "Create advanced filters with 'whitelist' and 'blacklist'". These keys are the same keys IF you were not rendering the event in XML.