Tnx for quick reply,appreciate it!
i configured the following config in inputs.conf :
host = mysplunk
[splunktcp://9997]
[WinEventLog:System]
disabled = 0
only index events with these event IDs.
whitelist = 7036-7037
exclude these event IDs from being indexed.
blacklist = 0-7035,7037-10000
[WinEventLog:Security]
disabled = 0
whitelist = 0-1
blacklist = 4725-4800
I configured it in /opt/splunk/etc/system/local/inputs.conf , restarted splunk and still get unrelevant events
i copied to the /opt/splunk/etc/apps/Splunk_TA_windows/local/inputs.conf and to /opt/splunk/etc/apps/splunk_app_windows_infrastructure/local/inputs.conf , restarted splunk and still the same
Do i have to edit props.conf and transforms.conf ?
Tnx in advance
... View more