Hello Team, I have been working to optimize the data going to Splunk and found EventCode 4662, Object Type= Computers are forwarding huge amount of data. Upon further investigation I found that Sub...
See more...
Hello Team, I have been working to optimize the data going to Splunk and found EventCode 4662, Object Type= Computers are forwarding huge amount of data. Upon further investigation I found that Subject user name having $ (Local Account) can be blacklist from sending to Splunk Cloud. To do so I added below regex on the Splunk Application over Deployment Server, [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)" blacklist2 = EventCode="4662" Message="Object Type:(?!\s*(groupPolicyContainer|computer|user))" renderXml=true index = DC_Events The below regex completely works fine on Sample Data, blacklist1 = EventCode="4662" Message="(?:<Data Name='SubjectUserName'>).+(?:\$)" This would help me not to send the user name having $ in Subject User name which could save lot of space over splunk as more than 100s of servers are sending the data to the splunk and would increased eventually. Thanks & Regards, Pratik Pashte