Getting Data In

inputs.conf blacklist format- Is there a format that needs to be adhered to when using a blacklist with regex?

dolj
Loves-to-Learn Everything

is there a format that needs to be adhered to when using a blacklist with regex? 

I am trying to format "New Process Name:" with a regex that will extract events from a specific data source. 

I have tested the regex with regex101 and it identifies the events that I want to filter and is basically

blacklist3 = New\sProcess\sName\:\s+C\:\\Program\sFiles\s\(x86\)\\......

should that work or do I need to format it something more like

blacklist3 = New Process Name = C\:\\Program\sFiles\s\(x86\)\\...... 

my current blacklist is resulting in 

ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist3' [legacy], range error found in 'regex'......

According to this document,

https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Whitelistorblacklistspecificincomingdata

blacklist = <your_custom_regex>

 should work. 

 

Thanks

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @dolj,

when you have "\" backslash in your blacklist, you have to escape it using three backslashes:

blacklist3 = New\sProcess\sName:\s+C:\\\Program\sFiles\s\(x86\)\\\......

you can try it in Splunk search to find the correct regex to filter your filenames, something like this:

| makeresults | eval _raw= "C:\Program Files (x86)\Google" | regex "C:\\\Program Files \(x86\)\\\Google"

Ciao.

Giuseppe

0 Karma

jotne
Builder

Escaping with regex may make it hard to read, but luckily there is a smart way around it.
You can start and stop in regex with \Q  and \E on what you like to get literal.

| makeresults
| eval _raw= "C:\Program Files (x86)\Google"
| regex "\QC:\Program Files (x86)\Google\E"

 This makes regex much more readable.
https://www.regular-expressions.info/characters.html

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...