Does anyone out there have a best practice for testing Windows event inputs.conf blacklist entries?
What actual event/part of the event is used for testing? The data in the splunk event gathered from a search? Or am I going straight to the windows box and copying the text from the General tab or the Friendly view?
I use regex101 and regexr and even sublime when needed to test regex's but I feel like looking through multiple posts everyone achieves their goals a little bit differently.
Would be great if Splunk provided a step by step document on how best to achieve this and ensure it works.
Thanks,
Andrew
Hi @adalbor,
This is very well details here :
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Configuration_set...
Have a look at the blacklist
section there.
You can even find advanced configurations and examples here :
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Create_advanced_f...
You can use an example event from Splunk to test your regex. After searching for the event you wish to test out, add |table _raw
to your query to see the raw log line.
Let me know if you need more details.
Cheers,
David
Thanks for the advice on using the _raw.
I've looked at the official documentation quite a few times and there is still left to be desired. It goes into some simple use cases but nothing actually advanced in my opinion.
yeah.. It's called advanced in the documentation, but as usual the "advanced" that is documented is only there to help build things... surely nothing compared to what you can do with ninja skills and good imagination.
Anyway let me know if you still anything else and please accept the answer if it was helpful 🙂