Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

4688 event code to be excluded from universal forwarder directory path alone

sureshkumaar
Path Finder
‎03-06-2025 12:43 AM

Tried below regex to blacklist OR ignore 4688 event codes from the *.exe coming from the splunk forwarder path/directory

But not working, it's considering 4688 from splunk and non-splunk path

OR

not sending events from both splunk and non-splunk path.

Looking for a regex to be added as blacklist to ignore 4688 coming from *.exe files part of splunk universal forwarder path/directory

 

blacklist = EventCode="4688" Message="New Process Name: (?i)(?:[C-F]:\Program Files\Splunk(?:UniversalForwarder)?\bin\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe)"

blacklist = EventCode="4688" Message="New Process Name: (?:[a-zA-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.+\.exe)"

blacklist = EventCode="4688" Message="New Process Name: (?:[a-zA-Z]:\\\\Program Files\\\\Splunk(?:\\\\UniversalForwarder)?\\\\bin\\\\.+\\.exe)"

blacklist = EventCode="4688" Message="New Process Name: C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\"

blacklist = EventCode="4688" Message="New Process Name: C:\\Program Files\\SplunkUniversalForwarder\\bin\\"

blacklist = EventCode="4688" Message="New Process Name: (?i)[A-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.*\\.exe)"

blacklist = EventCode="4688" Message="New Process Name:\s*[A-Z]:\\Program Files\\Splunk(?:\\UniversalForwarder)?\\bin\\.+\\.exe)"

blacklist = EventCode="4688" Message="New Process Name:\s*[A-Z]:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\.*\\.exe"

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sureshkumaar
Path Finder
‎03-13-2025 12:47 AM

Issue is fixed, below excluded the events when splunk*.exe is found for 4688 event code.

blacklist3 = EventCode="4688" Message=".*(splunk-.*\.exe|splunk\.exe|splunkd\.exe).*"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sureshkumaar
Path Finder
‎03-13-2025 12:47 AM

Issue is fixed, below excluded the events when splunk*.exe is found for 4688 event code.

blacklist3 = EventCode="4688" Message=".*(splunk-.*\.exe|splunk\.exe|splunkd\.exe).*"

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-06-2025 02:50 AM

Aren't you by any chance ingesting your events as XML?

0 Karma
Reply
Solved! Jump to solution

sureshkumaar
Path Finder
‎03-07-2025 12:41 AM

below is inputs.conf before blacklist lines

 

[WinEventLog://Security]
disabled = 0
checkpointInterval = 5
disabled = 0
start_from = oldest
renderXml = false
evt_resolve_ad_obj = 1

Tags (1)
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-07-2025 04:40 AM

OK. You seem to be struggling a bit with the regex. I haven't read your attempts  thoroughly before but now I see that they seem to have some mistakes in one point or another.

Use regex101.com to verify your regexes. They don't need any escaping in config as long as you chose proper delimiters which do not interfere with the regex contents (so if you want to enclose your regex with quotes, your regex itself mustn't contain quotes and so on).

And I wouldn't worry about whether the group is capturing or not. It's not that important memory-wise in this case and you're not using the groups for anything anyway.

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎03-06-2025 01:34 AM

Hi @sureshkumaar 

Please could you post a sample event which is being ingested (which shouldnt) so we can help work to provide the best blacklist values for this?

In the meantime, you might find some useful responses in the following:

https://community.splunk.com/t5/All-Apps-and-Add-ons/Windows-Process-Name-inputs-conf-Blacklisting-R...

https://community.splunk.com/t5/Getting-Data-In/How-to-edit-inputs-conf-to-blacklist-an-eventcode/td...

Thanks

0 Karma
Reply
Solved! Jump to solution

sureshkumaar
Path Finder
‎03-07-2025 12:40 AM

Below is the events for 4688 where the code gets captured in a field called "EventCode"

 

A new process has been created.
 
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: SERVERNAME$
Account Domain: TRUE
Logon ID: 0x3E7
 
Target Subject:
Security ID:
Account Name:
Account Domain:
Logon ID:
 
Process Information:
New Process ID: 0x2650
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Creator Process ID: 0xf7c
Process Command Line:
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...