Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

4688 event code to be excluded from universal forwarder directory path alone

sureshkumaar
Path Finder
‎03-06-2025 12:43 AM

Tried below regex to blacklist OR ignore 4688 event codes from the *.exe coming from the splunk forwarder path/directory

But not working, it's considering 4688 from splunk and non-splunk path

OR

not sending events from both splunk and non-splunk path.

Looking for a regex to be added as blacklist to ignore 4688 coming from *.exe files part of splunk universal forwarder path/directory

 

blacklist = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"

blacklist = EventCode="4688" Message="New Process Name: (?:[a-zA-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.+\.exe)"

blacklist = EventCode="4688" Message="New Process Name: (?:[a-zA-Z]:\\\\Program Files\\\\Splunk(?:\\\\UniversalForwarder)?\\\\bin\\\\.+\\.exe)"

blacklist = EventCode="4688" Message="New Process Name: C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\"

blacklist = EventCode="4688" Message="New Process Name: C:\\Program Files\\SplunkUniversalForwarder\\bin\\"

blacklist = EventCode="4688" Message="New Process Name: (?i)[A-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.*\\.exe)"

blacklist = EventCode="4688" Message="New Process Name:\s*[A-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.+\\.exe)"

blacklist = EventCode="4688" Message="New Process Name:\s*[A-Z]:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\.*\\.exe"

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sureshkumaar
Path Finder
4 weeks ago

Issue is fixed, below excluded the events when splunk*.exe is found for 4688 event code.

blacklist3 = EventCode="4688" Message=".*(splunk-.*\.exe|splunk\.exe|splunkd\.exe).*"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sureshkumaar
Path Finder
4 weeks ago

Issue is fixed, below excluded the events when splunk*.exe is found for 4688 event code.

blacklist3 = EventCode="4688" Message=".*(splunk-.*\.exe|splunk\.exe|splunkd\.exe).*"

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-06-2025 02:50 AM

Aren't you by any chance ingesting your events as XML?

0 Karma
Reply
Solved! Jump to solution

sureshkumaar
Path Finder
‎03-07-2025 12:41 AM

below is inputs.conf before blacklist lines

 

[WinEventLog://Security]
disabled = 0
checkpointInterval = 5
disabled = 0
start_from = oldest
renderXml = false
evt_resolve_ad_obj = 1

Tags (1)
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-07-2025 04:40 AM

OK. You seem to be struggling a bit with the regex. I haven't read your attempts  thoroughly before but now I see that they seem to have some mistakes in one point or another.

Use regex101.com to verify your regexes. They don't need any escaping in config as long as you chose proper delimiters which do not interfere with the regex contents (so if you want to enclose your regex with quotes, your regex itself mustn't contain quotes and so on).

And I wouldn't worry about whether the group is capturing or not. It's not that important memory-wise in this case and you're not using the groups for anything anyway.

0 Karma
Reply
Solved! Jump to solution

livehybrid
Influencer
‎03-06-2025 01:34 AM

Hi @sureshkumaar 

Please could you post a sample event which is being ingested (which shouldnt) so we can help work to provide the best blacklist values for this?

In the meantime, you might find some useful responses in the following:

https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Process-Name-inputs-conf-Blacklisting-R...

https://community.splunk.com/t5/Getting-Data-In/How-to-edit-inputs-conf-to-blacklist-an-eventcode/td...

Thanks

0 Karma
Reply
Solved! Jump to solution

sureshkumaar
Path Finder
‎03-07-2025 12:40 AM

Below is the events for 4688 where the code gets captured in a field called "EventCode"

 

A new process has been created.
 
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: SERVERNAME$
Account Domain: TRUE
Logon ID: 0x3E7
 
Target Subject:
Security ID:
Account Name:
Account Domain:
Logon ID:
 
Process Information:
New Process ID: 0x2650
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0xf7c
Process Command Line:
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top