I'm struggeling with setting up a blacklist for an WinEventLog inputs.conf with the renderXml = true.
This is the inputs.conf stanza I'm using:
disabled = false
renderXml = true
Now I want to blacklist every events caused by for example the splunkd.exe.
I've tried something like
blacklist = ParentImage="C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"
but this does not work.
Any help is really apreciated.
were you ever able to accomplish blacklisting? I was just trying to accomplish the same thing. Since there is no message field when renderXml=true AND it appears that only specific keys (not including _raw) are supported with whitelisting|blacklisting, I am thinking a feature modification request is in order...
I know this is a late response to thread, but finally got this working for myself as well. Here is a sample input:
[WinEventLog://Microsoft-Windows-GroupPolicy/Operational] renderXml= True #client-side extension processing started/completed whitelist1 = EventCode=%^(4016|5016)$% #gpo download from domain controller whitelist2 = EventCode=%^(5126)$% #manual processing of GPO started/completed for user whitelist3 = EventCode=%^(4004|8004)$% #manual processing of GPO started/completed for machine whitelist4 = EventCode=%^(4005|8005)$%
Please see the splunk documentation: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/MonitorWindowsdata -- there is a list of keys under the section, "Create advanced filters with 'whitelist' and 'blacklist'". These keys are the same keys IF you were not rendering the event in XML.