I see this type of question has been asked several times, however I haven't been able to find the answer to my situation.
I need to have the below eventcode, computername and user added to the overall blacklist so it stops sending results up to Splunk.
I have added the below line to my inputs.conf file:
blacklist5 = EventCode="4625" ComputerName="specific-comp-name"
and that works as it will block all 4625 events from that specific computer name, however it works to well, i need to further narrow the filter to also include where user="User". When i add that:
blacklist5 = EventCode="4625" ComputerName="specific-comp-name" user="User"
The filter stops filtering out anything and once again all 4625 events are being sent up to Splunk.
Any help on how to get this accomplished is greatly appreciated.
... View more