×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
thekevinkalis
Engager
Member since: ‎09-03-2025
‎09-03-2025
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-03-2025
Activity Feed
View All

Re: Filtering on WinEvent IDs

by in Getting Data In
‎09-04-2025 01:11 AM
‎09-04-2025 01:11 AM
@PickleRick thanks, I think that's done it, I've changed the message part of the blacklist with that bit of regex you suggested, and have it working now. Now I can get round to some fine tuning. As a side note, to anyone who might come across this: My original (non working) text didn't contain a ":" as it was used in the source message. Once I corrected it to match, it started working. So it turned out as: blacklist4 = EventCode="5152" Message="Protocol:\s*17" ... View more

Re: Filtering on WinEvent IDs

by in Getting Data In
‎09-04-2025 12:45 AM
‎09-04-2025 12:45 AM
@PickleRick thanks for responding, however reading those docs are confusing as hell, and I feel like I know even less now. Could you possible dumb it down (even further) for me? I have RenderXml set to "False" This is the part of my "inputs.conf" I'm looking at, specifically the "blacklist4" line is causing major frustration: [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 key=*regex* blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist3 = 4624,4634,4648,4719,4798,4799,5379,5381,5382,4985,4663,4672 blacklist4 = EventCode="5152" Message="Protocol = 17" renderXml = false I've already tried a bunch of different formatting for the message part. As soon as I omit it, the events are blocked, but I can't get that filter to do what I want. ... View more

Filtering on WinEvent IDs

by in Getting Data In
‎09-03-2025 11:13 PM
‎09-03-2025 11:13 PM
Hi all, sorry if this has been asked before, but my initial searches haven't turned up anything. I'm fairly new to Splunk so just finding my way.  I'm trying to add Windows Firewall events to a Splunk instance with a Universal Forwarder, but I'm trying to filter some of the noise from the specific event - specifically the Unicast messages are of no interest to me. So I've tried simply creating a blacklist in my inputs.conf blacklist4 = EventCode="5152" Protocol="17" However, this doesn't work, and simply allows all those events through. From what I've been able to find, I can't quite figure out how I need to create the blacklist to block only those specific events. Any help would be most appreciated. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-03-2025 11:07 PM