Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Windows Event Log Inputs - Combining whitelists of EventCodes and SourceNames

adam_reber
Path Finder
‎11-04-2015 10:11 AM

I am trying to collect a whitelist of about 200 EventCodes in the Windows Security log, in addition to ANY event in the Security log that has a SourceName=MSSQL*. Here is what I have:

[WinEventLog://Security]
disabled = false
whitelist = 528,532,4624,4628...
whitelist1 = SourceName=%MSSQL.*%

However, now I only get MSSQL events, and it appears to ignore the first whitelist. How can I combine them so that I see any event matching, 528,532,4624,4628 regardless of SourceName, and any event with SourceName=MSSQL regardless of EventCode?

0 Karma
Reply

ltrand
Contributor
‎11-04-2015 10:30 AM

for whitelisting/blacklisting it needs to be formatted as follows:

whitelist.0 = first condition
whitelist.1 = second condition
whitelist.n = etc

0 Karma
Reply

adam_reber
Path Finder
‎11-04-2015 10:50 AM

For normal monitor inputs that is true, however the docs state otherwise for Windows Events.
http://docs.splunk.com/Documentation/Splunk/6.2.6/Admin/Inputsconf#inputs.conf.spec

whitelist = <list of eventIDs> | key=regex [key=regex]
blacklist = <list of eventIDs> | key=regex [key=regex]

whitelist1 = key=regex [key=regex]
whitelist2 = key=regex [key=regex]
whitelist3 = key=regex [key=regex]
blacklist1 = key=regex [key=regex]
blacklist2 = key=regex [key=regex]
blacklist3 = key=regex [key=regex]
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...