@tscroggins  Hi Tscroggins! Using a ChatGPT for good cause for example helping another human being then it's yes. If the solution is not working then NO. ... View more

@AL3Z  In the context of blacklisting Windows events using inputs.conf for a Universal Forwarder, the relevant process name field you would typically use depends on your specific requirements. Let me break down the options you mentioned: CreatorProcessName: This field represents the name of the process that created the new process. If you are interested in events based on the process that initiated the creation of another process, you might use this field. ParentProcessName: This field indicates the name of the parent process that spawned the new process. If you want to blacklist events based on the immediate parent process, you would use this field. NewProcessName: This field represents the name of the new process that was created. If you are looking to blacklist events based on the specific process that is created, this would be the field to use. When configuring blacklisting for Windows events, you may need to consider your specific use case and the level of granularity you require. For instance, if you want to block events based on a certain application being launched, you would use the "NewProcessName." If you want to block events based on a specific process initiating the creation of other processes, you might use "CreatorProcessName" or "ParentProcessName." Here's a basic example of how you might use inputs.conf to blacklist events based on the NewProcessName: [monitor://C:\Path\To\Your\Logs] disabled = false index = your_index sourcetype = your_sourcetype ignoreOlderThan = <your_time_specification> blacklist = \.exe$ ; Adjust this regex pattern based on your needs In the example above, the "blacklist" line uses a regular expression to filter out events where the new process name ends with ".exe". Adjust the regex pattern according to your requirements. Remember to restart the Universal Forwarder after making changes to the inputs.conf file for the changes to take effect. Always test your configurations in a controlled environment to ensure they behave as expected before deploying them in a production setting. Thanks rasad4468 ... View more

  It seems like your custom search command is being executed twice because of the way Splunk handles the map/reduce phases in a distributed search environment. This behavior is expected in certain scenarios, and it's often related to how Splunk distributes and processes data across different search peers. In your specific case, the key information is found in the search.log: 09-13-2018 11:33:08.462 INFO ParallelReducePolicy - Current Search Head doesn't have any usable peers to use. 09-13-2018 11:33:08.462 INFO PhaseNodeGenerationVisitor - User lacking run_multi_phased_searches, rolling back to 2-phase mode. Splunk is running the map phase twice because it's not able to parallelize the search across multiple search peers. As a result, it falls back to a two-phase execution (map and reduce) on the search head itself. To avoid this behavior, you might want to consider the following: Parallelization: Ensure that your search environment has multiple search peers that can be utilized for parallel processing. This may involve configuring search peer clustering or making adjustments to your distributed environment. run_multi_phased_searches: The log mentions that the user lacks the run_multi_phased_searches capability. This capability allows Splunk to run multiple phases on different search peers simultaneously. You might want to check the user's role and capabilities to ensure it has the necessary permissions. Debugging: Consider adding more logging statements to your custom search command to trace the execution flow and see if it provides additional insights into why it's being called twice. Splunk Documentation: Check the Splunk documentation for custom search commands and distributed search to see if there are any specific guidelines or recommendations for handling distributed environments. Splunk Answers: Search the Splunk Answers community for similar issues or ask a question there. The community is active, and you might find someone who has encountered and resolved a similar problem. Keep in mind that Splunk's distributed search behavior can be complex, and understanding how it distributes and processes data is crucial for developing efficient custom search commands.   I hope this will help Thanks rasad4468   ... View more