How will I whitelist specific TaskName in inputs.conf in Splunk forwarder configuration from WinEventLog Task Scheduler/Operational .
Pulled data Example:
....<Data Name='TaskName'>\Job 1</Data>.....
....<Data Name='TaskName'>\Job 2</Data>.....
....<Data Name='TaskName'>\Other 1</Data>.....
I only need to pull data of Job 1 and Job 2. How can I filter multiple jobs in inputs.conf
Splunk supports whitelisting based on a fixed set of keywords. "Data Name" is not one of them, but Message is. If the TaskName is part of the Message text then perhaps this whitelist will help.
whitelist1 = Message=:"TaskName'\>\\Job [12]\<:
I believe @richgalloway that the Task name is not under a Message keyword accepted by the whitelisting. With this, do we have any work around? or once the keyword is not:
Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, User
meaning it will not work at all?
If the keyword is not in that list then it cannot be used in a whitelist or blacklist.
Hi, I appreciate your help, but it still not working on my end 😞 I have tried the code but no result in pulling data.
This is the inputs.conf
[WinEventLog://Microsoft-Windows-TaskScheduler/Operational] disabled = 0 start_from = oldest current_only = 1 checkpointInterval = 5 renderXml = true whitelist1 = Message=:'TaskName'\>\\Service Process\\<: index = winevents_index |