Splunk Search

Similar EventIds been taken in splunk

agupta2607
New Member

Hi All,

My inputs conf are as follows
[WinEventLog://Application]
disabled = 0
whitelist = EventCode="26|25|19"
whitelist1 = SourceName="DWMRCS"
index = wineventlog
evt_resolve_ad_obj = 0
checkpointInterval = 5

Result : Getting all events which include 26 ,25,19
i.e. 326,1026,1025,10025,259,258, and more.

I also tried
[WinEventLog://Application]
disabled = 0
whitelist = EventCode="^26$|^25$|^19$"
whitelist1 = SourceName="DWMRCS"
index = wineventlog
evt_resolve_ad_obj = 0
checkpointInterval = 5

But same results.

Thanks In Advance

Tags (1)
0 Karma

diogofgm
SplunkTrust
SplunkTrust

You can use ranges of event ids in white and blacklist without the regex

Example:

[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
# only index events with these event IDs.
whitelist = 0-2000,3001-10000
# exclude these event IDs from being indexed.
blacklist = 2001-3000

More information from docs:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/MonitorWindowseventlogdata#Configuration_set...

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

agupta2607
New Member

Have someone faced the same issue?

0 Karma

jaime_ramirez
Communicator

Have you tried the following?:

[WinEventLog://Application]
disabled = 0
whitelist = 26,25,19
whitelist1 = SourceName="DWMRCS"
index = wineventlog
evt_resolve_ad_obj = 0
checkpointInterval = 5

Hope it helps!!!

0 Karma

agupta2607
New Member

yes, I have tries this but does not work.

With my config, I just need to get the regex to get the exact EventCode.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...