is there a format that needs to be adhered to when using a blacklist with regex?
I am trying to format "New Process Name:" with a regex that will extract events from a specific data source.
I have tested the regex with regex101 and it identifies the events that I want to filter and is basically
blacklist3 = New\sProcess\sName\:\s+C\:\\Program\sFiles\s\(x86\)\\......
should that work or do I need to format it something more like
blacklist3 = New Process Name = C\:\\Program\sFiles\s\(x86\)\\......
my current blacklist is resulting in
ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist3' [legacy], range error found in 'regex'......
According to this document,
https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Whitelistorblacklistspecificincomingdata
blacklist = <your_custom_regex>
should work.
Thanks
... View more