cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
kknair007
Observer
Member since: ‎08-28-2022
‎12-14-2022
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-28-2022
View All

Re: Filtering Windows 4662 logs in Windows - Not w...

by in Getting Data In
‎08-29-2022 03:59 AM
‎08-29-2022 03:59 AM
@richgalloway I tried the below as you suggested, not working.  blacklist = EventCode="4662" Message="Object Type:\s*(dnsNode|dnsZone|container|computer|SecretObject)" \s* caters to all whitespaces. What about other characters and numbers in Message field which has to be matched since Object Type is coming somewhere in the middle as per the raw event.  Can you pls shed some light on this regex, Rich?   ... View more

Re: Why is X509 certificate default using warning?

by in Security
‎08-28-2022 05:34 AM
‎08-28-2022 05:34 AM
@mommyfixit  By the way, are you getting the cert error on GUI or at the backend. Please ensure the settings mentioned in the below link is intact.  One point, ensure EnableSSL=true setting in web.conf if you're getting the error in GUI. https://docs.splunk.com/Documentation/Splunk/9.0.1/Security/ConfigureSplunkforwardingtousesignedcertificates Just trying to help. Thanks.   ... View more

Re: Blacklist with filter on windows event logs no...

by in Getting Data In
‎08-28-2022 05:23 AM
‎08-28-2022 05:23 AM
@catchvjay You may try this  : blacklist1 = EventCode="4769"  Message="Account Name:(\W+\w+$)" ... View more

Filtering Windows 4662 logs in Windows - Not worki...

by in Getting Data In
‎08-28-2022 05:09 AM
‎08-28-2022 05:09 AM
Hello all, I am trying to filter out those noisy 4662 logs eating our license like anything as recommended in Splunk blogs and forums. Tried the below stanza for 4662 to blacklist everything except GPO related events, but not working as expected. Any help to fix the regex part. blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" Raw Message is below :  Message=An operation was performed on an object. Subject : Security ID: $ Account Name: $ Account Domain:  Logon ID: 0x7F897031 Object: Object Server: DS Object Type: groupPolicyContainer Object Name: CN={123456-D64E-4013-ACC5-F78A}CN=Policies,CN=System,DC=xyz,DC=xyyz,DC=com Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Read Property Access Mask: 0x10 Properties: --- Public Information distinguishedName groupPolicyContainer Additional Information: Parameter 1: - Parameter 2: Can we filter directly based on Object_Type instead of Message field like :  blacklist1 = EventCode="4662" Object_Type="(x|y)".  Any help would be great! Thanks.   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-14-2022 09:58 AM