I'm trying to do some windows event blacklisting due to a high volume on a particular server. However, I'm having troubles producing a search to match the events without the search spanning across multiple lines. So we are dealing with windows events. index=wineventlog source=wineventlog:security EventCode=4624. I have an extracted field (from windows infrastructure app) called member_id. This contains two values which seem to be separated by a new line as they are vertically stacked and looks like when listed in stats or tables: NULL SID NT AUTHORITY\SYSTEM This below search will match the events I'm after correctly: index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID NT AUTHORITY\\SYSTEM" However this does not work: index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\nNT AUTHORITY\\SYSTEM" and neither does this: index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\r\nNT AUTHORITY\\SYSTEM" or index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID\n\rNT AUTHORITY\\SYSTEM" In my inputs.conf file I have tried the following and it is not working. I suspect because the blacklist is not expecting to span multiple lines and doesn't know where to start and end. inputs.conf (for the universal forwarder on the windows endpoint) [WinEventLog://Security] disabled = 0 blacklist = index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID NT AUTHORITY\\SYSTEM" blacklist1 = index=wineventlog source=wineventlog:security EventCode=4624 host=<Redacted> member_id="NULL SID <Redacted>\\<Redacted>$" My Google fu has failed me and I don't seem to be able to find out how to do this. I hope some Splunk Guru will be able to help me solve this. Thanks in advance, Sean
... View more
