×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
jonsantos
Engager
Member since: ‎04-22-2015
‎10-12-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎04-22-2015
Activity Feed
View All

Re: Input.conf on Deployment App

by SplunkTrust in Getting Data In
‎01-19-2021 08:48 PM
1 Karma
‎01-19-2021 08:48 PM
1 Karma
Hi @jonsantos, Windows notepad cannot show Linux line endings properly, that should not be a problem. Please try filter with quotes like below; [WinEventLog://System] blacklist = EventCode="xxxx"   If this reply helps you an upvote is appreciated. ... View more

Re: Whitelist/Blacklist Event ID using Forwarder M...

by in Getting Data In
‎01-26-2020 12:29 PM
‎01-26-2020 12:29 PM
Hi dyude @jonsantos , Can u try this, On the deployment server create an inputs.conf file in the local diretory of winevt app( $SPLUNK_HOME/etc/deployment-apps/winevt/local/inputs.conf) and then try pushing the file. [WinEventLog://Security] disabled = 0 whitelist1 = EventCode=4625 An inputs.conf should get created in local directory of winevt app in the forwarder(C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\local\inputs.conf ). Check the permission of the inputs.conf file in forwarder. Search the logs with the given index name(if any). Let me know if this helps ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-12-2021 12:01 PM
Karma given to
View All