Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Whitelist stacking issues in inputs.conf

benbabich
Explorer
‎05-07-2018 11:31 AM

I only want Error and Warning events from Windows System logs, except for a couple of individual events (104 and 1074) which I want event though they're 'information' events.

[WinEventLog://System]
disabled = 0
whitelist1 = 104,1074
whitelist2 = Type=/Error|Warning/

If I have just whitelist 1, I get the 1074 events (which are informational) but when I add whitelist 2, I only get Error and Warning events but no longer get 1074 events. How to I get both?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

benbabich
Explorer
‎05-14-2018 12:16 PM

Once Regex enters the fray under [WinEventLog://System], the other system (commas) is thrown out the window.
"You have to use exclusively just event code (like whitelist1), or key/value regexes (like whitelist2). You can't mix and match in the same input stanza".
Got that info from PeanutButterW0lf over on reddit.com/r/splunk, so props to him.

This works:
[WinEventLog://System]
disabled = 0
whitelist = EventCode="104|1074|2020|6008|6009|12295|29223|40960|40961"
whitelist1 = Type=/Error|Warning/

View solution in original post

Reply
Solved! Jump to solution
Solution

benbabich
Explorer
‎05-14-2018 12:16 PM

Once Regex enters the fray under [WinEventLog://System], the other system (commas) is thrown out the window.
"You have to use exclusively just event code (like whitelist1), or key/value regexes (like whitelist2). You can't mix and match in the same input stanza".
Got that info from PeanutButterW0lf over on reddit.com/r/splunk, so props to him.

This works:
[WinEventLog://System]
disabled = 0
whitelist = EventCode="104|1074|2020|6008|6009|12295|29223|40960|40961"
whitelist1 = Type=/Error|Warning/

Reply
Solved! Jump to solution

jcrabb_splunk
Splunk Employee
Splunk Employee
‎05-15-2018 05:19 AM

Sorry I hadn't had time to do testing for this as I was traveling but glad you got it resolved.

Jacob
Sr. Technical Support Engineer
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...