Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Similar EventIds been taken in splunk

agupta2607
New Member
‎08-06-2019 02:40 AM

Hi All,

My inputs conf are as follows
[WinEventLog://Application]
disabled = 0
whitelist = EventCode="26|25|19"
whitelist1 = SourceName="DWMRCS"
index = wineventlog
evt_resolve_ad_obj = 0
checkpointInterval = 5

Result : Getting all events which include 26 ,25,19
i.e. 326,1026,1025,10025,259,258, and more.

I also tried
[WinEventLog://Application]
disabled = 0
whitelist = EventCode="^26$|^25$|^19$"
whitelist1 = SourceName="DWMRCS"
index = wineventlog
evt_resolve_ad_obj = 0
checkpointInterval = 5

But same results.

Thanks In Advance

Tags (1)
0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-26-2019 05:23 AM

You can use ranges of event ids in white and blacklist without the regex

Example:

[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
# only index events with these event IDs.
whitelist = 0-2000,3001-10000
# exclude these event IDs from being indexed.
blacklist = 2001-3000

More information from docs:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/MonitorWindowseventlogdata#Configuration_set...

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

agupta2607
New Member
‎08-26-2019 04:28 AM

Have someone faced the same issue?

0 Karma
Reply

jaime_ramirez
Communicator
‎08-06-2019 01:26 PM

Have you tried the following?:

[WinEventLog://Application]
disabled = 0
whitelist = 26,25,19
whitelist1 = SourceName="DWMRCS"
index = wineventlog
evt_resolve_ad_obj = 0
checkpointInterval = 5

Hope it helps!!!

0 Karma
Reply

agupta2607
New Member
‎08-07-2019 05:23 AM

yes, I have tries this but does not work.

With my config, I just need to get the regex to get the exact EventCode.

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...