Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

4688 event code to be excluded from universal forwarder directory path alone

sureshkumaar
Path Finder
‎03-06-2025 12:43 AM

Tried below regex to blacklist OR ignore 4688 event codes from the *.exe coming from the splunk forwarder path/directory

But not working, it's considering 4688 from splunk and non-splunk path

OR

not sending events from both splunk and non-splunk path.

Looking for a regex to be added as blacklist to ignore 4688 coming from *.exe files part of splunk universal forwarder path/directory

 

blacklist = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"

blacklist = EventCode="4688" Message="New Process Name: (?:[a-zA-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.+\.exe)"

blacklist = EventCode="4688" Message="New Process Name: (?:[a-zA-Z]:\\\\Program Files\\\\Splunk(?:\\\\UniversalForwarder)?\\\\bin\\\\.+\\.exe)"

blacklist = EventCode="4688" Message="New Process Name: C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\"

blacklist = EventCode="4688" Message="New Process Name: C:\\Program Files\\SplunkUniversalForwarder\\bin\\"

blacklist = EventCode="4688" Message="New Process Name: (?i)[A-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.*\\.exe)"

blacklist = EventCode="4688" Message="New Process Name:\s*[A-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.+\\.exe)"

blacklist = EventCode="4688" Message="New Process Name:\s*[A-Z]:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\.*\\.exe"

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sureshkumaar
Path Finder
‎03-13-2025 12:47 AM

Issue is fixed, below excluded the events when splunk*.exe is found for 4688 event code.

blacklist3 = EventCode="4688" Message=".*(splunk-.*\.exe|splunk\.exe|splunkd\.exe).*"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sureshkumaar
Path Finder
‎03-13-2025 12:47 AM

Issue is fixed, below excluded the events when splunk*.exe is found for 4688 event code.

blacklist3 = EventCode="4688" Message=".*(splunk-.*\.exe|splunk\.exe|splunkd\.exe).*"

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-06-2025 02:50 AM

Aren't you by any chance ingesting your events as XML?

0 Karma
Reply
Solved! Jump to solution

sureshkumaar
Path Finder
‎03-07-2025 12:41 AM

below is inputs.conf before blacklist lines

 

[WinEventLog://Security]
disabled = 0
checkpointInterval = 5
disabled = 0
start_from = oldest
renderXml = false
evt_resolve_ad_obj = 1

Tags (1)
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-07-2025 04:40 AM

OK. You seem to be struggling a bit with the regex. I haven't read your attempts  thoroughly before but now I see that they seem to have some mistakes in one point or another.

Use regex101.com to verify your regexes. They don't need any escaping in config as long as you chose proper delimiters which do not interfere with the regex contents (so if you want to enclose your regex with quotes, your regex itself mustn't contain quotes and so on).

And I wouldn't worry about whether the group is capturing or not. It's not that important memory-wise in this case and you're not using the groups for anything anyway.

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎03-06-2025 01:34 AM

Hi @sureshkumaar 

Please could you post a sample event which is being ingested (which shouldnt) so we can help work to provide the best blacklist values for this?

In the meantime, you might find some useful responses in the following:

https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Process-Name-inputs-conf-Blacklisting-R...

https://community.splunk.com/t5/Getting-Data-In/How-to-edit-inputs-conf-to-blacklist-an-eventcode/td...

Thanks

0 Karma
Reply
Solved! Jump to solution

sureshkumaar
Path Finder
‎03-07-2025 12:40 AM

Below is the events for 4688 where the code gets captured in a field called "EventCode"

 

A new process has been created.
 
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: SERVERNAME$
Account Domain: TRUE
Logon ID: 0x3E7
 
Target Subject:
Security ID:
Account Name:
Account Domain:
Logon ID:
 
Process Information:
New Process ID: 0x2650
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0xf7c
Process Command Line:
Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...