Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Windows inputs.conf blacklist testing process

adalbor
Builder
‎12-03-2019 08:14 AM

Does anyone out there have a best practice for testing Windows event inputs.conf blacklist entries?

What actual event/part of the event is used for testing? The data in the splunk event gathered from a search? Or am I going straight to the windows box and copying the text from the General tab or the Friendly view?

I use regex101 and regexr and even sublime when needed to test regex's but I feel like looking through multiple posts everyone achieves their goals a little bit differently.

Would be great if Splunk provided a step by step document on how best to achieve this and ensure it works.

Thanks,
Andrew

0 Karma
Reply

DavidHourani
Super Champion
‎12-03-2019 08:22 AM

Hi @adalbor,

This is very well details here :
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Configuration_set...
Have a look at the blacklist section there.

You can even find advanced configurations and examples here :
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Create_advanced_f...

You can use an example event from Splunk to test your regex. After searching for the event you wish to test out, add |table _raw to your query to see the raw log line.

Let me know if you need more details.

Cheers,
David

Reply

adalbor
Builder
‎12-03-2019 08:29 AM

Thanks for the advice on using the _raw.

I've looked at the official documentation quite a few times and there is still left to be desired. It goes into some simple use cases but nothing actually advanced in my opinion.

0 Karma
Reply

DavidHourani
Super Champion
‎12-03-2019 08:33 AM

yeah.. It's called advanced in the documentation, but as usual the "advanced" that is documented is only there to help build things... surely nothing compared to what you can do with ninja skills and good imagination.

Anyway let me know if you still anything else and please accept the answer if it was helpful 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...