I am using the Splunk  Add-on for Microsoft Windows. The inputs.conf files on the hosts are located in: C:\SplunkUF\etc\apps\Splunk_TA_windows\local\inputs.conf ... View more

Thank you for your advice!   ... View more

Actually, you can blacklist by eventcodes or by regex. (and with a caveat that if you use renderXml=true, you have to specify blacklist differently). ... View more

Try removing the quotes from the file path. Check splunkd.log for errors relating to that input. ... View more

Hi @sswigart , as also @dtburrows3 said, SED-CMD removes a part of the event, not the entire event. If you want to remove the full event before indexing see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues Ciao. Giuseppe ... View more

Thank you! ... View more

My example was XML for use in a classic dashboard - so if you take the entire XML below and create a new dashboard and paste in this into the source. <dashboard version="1.1"> <row> <panel> <table> <title>Turning the Time column red if outside hours 18:00 to 06:00</title> <search> <query> index="winlogs" host=* source="WinEventLog:Security" Eventcode=4624 Logon_Type=2 OR Logon_Type=7 NOT dest_nt_domain="Window Manager" NOT dest_nt_domain="Font Driver Host" | sort_time | convert ctime(_time) as timestamp | table timestamp,EventCode,Logon_Type,Account_Name,RecordNumber,status </query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <format type="color" field="timestamp"> <colorPalette type="expression">if(tonumber(substr(value,12,2))&gt;=18 OR tonumber(substr(value,12,2))&lt;6, "#FF0000", "#FFFFFF")</colorPalette> </format> </table> </panel> </row> </dashboard> This is what an XML dashboard looks like. You can see your search in the <search> section and the <format> section is what defines your colours and testing the time range. That documentation for the format is here https://docs.splunk.com/Documentation/Splunk/9.1.0/Viz/TableFormatsXML   ... View more

Hi @sswigart, you can whitelist the EventCodes related to logins but in this way you exclude all the other EventCodes, I think that it's better to filter these events at search time. Anyway, at http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf there's an example of whitelisting Windows EventCodes. Ciao. Giuseppe ... View more

Hi dyude @jonsantos , Can u try this, On the deployment server create an inputs.conf file in the local diretory of winevt app( $SPLUNK_HOME/etc/deployment-apps/winevt/local/inputs.conf) and then try pushing the file. [WinEventLog://Security] disabled = 0 whitelist1 = EventCode=4625 An inputs.conf should get created in local directory of winevt app in the forwarder(C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\local\inputs.conf ). Check the permission of the inputs.conf file in forwarder. Search the logs with the given index name(if any). Let me know if this helps ... View more