Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows inputs.conf blacklist testing process

adalbor
Builder
‎12-03-2019 08:14 AM

Does anyone out there have a best practice for testing Windows event inputs.conf blacklist entries?

What actual event/part of the event is used for testing? The data in the splunk event gathered from a search? Or am I going straight to the windows box and copying the text from the General tab or the Friendly view?

I use regex101 and regexr and even sublime when needed to test regex's but I feel like looking through multiple posts everyone achieves their goals a little bit differently.

Would be great if Splunk provided a step by step document on how best to achieve this and ensure it works.

Thanks,
Andrew

0 Karma
Reply

DavidHourani
Super Champion
‎12-03-2019 08:22 AM

Hi @adalbor,

This is very well details here :
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Configuration_set...
Have a look at the blacklist section there.

You can even find advanced configurations and examples here :
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Create_advanced_f...

You can use an example event from Splunk to test your regex. After searching for the event you wish to test out, add |table _raw to your query to see the raw log line.

Let me know if you need more details.

Cheers,
David

Reply

adalbor
Builder
‎12-03-2019 08:29 AM

Thanks for the advice on using the _raw.

I've looked at the official documentation quite a few times and there is still left to be desired. It goes into some simple use cases but nothing actually advanced in my opinion.

0 Karma
Reply

DavidHourani
Super Champion
‎12-03-2019 08:33 AM

yeah.. It's called advanced in the documentation, but as usual the "advanced" that is documented is only there to help build things... surely nothing compared to what you can do with ninja skills and good imagination.

Anyway let me know if you still anything else and please accept the answer if it was helpful 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...