Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About benbabich
benbabich
Explorer
Member since:
07-18-2017
12-22-2022
Community Statistics
| Posts | 12 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 1 |
| Member Since | 07-18-2017 |
Activity Feed
- Karma Re: Finding the 1st logon and logoff event times for a single user from March 2017 to present. for gcusello. 06-05-2020 12:49 AM
- Karma Re: Can I use != in blacklist? for richgalloway. 06-05-2020 12:49 AM
- Got Karma for Re: Whitelist stacking issues in inputs.conf. 06-05-2020 12:49 AM
- Karma Re: Convert Splunk default time to human readable format for yannK. 06-05-2020 12:46 AM
- Posted Re: Finding the 1st logon and logoff event times for a single user from March 2017 to present. on Getting Data In. 01-16-2020 01:14 PM
- Posted Re: Whitelist stacking issues in inputs.conf on Splunk Dev. 05-14-2018 12:16 PM
- Posted Whitelist stacking issues in inputs.conf on Splunk Dev. 05-07-2018 11:31 AM
- Tagged Whitelist stacking issues in inputs.conf on Splunk Dev. 05-07-2018 11:31 AM
- Posted Re: How does the indexer forward data to itself? on Getting Data In. 02-06-2018 10:23 AM
- Posted Re: How does the indexer forward data to itself? on Getting Data In. 02-06-2018 08:04 AM
- Posted How does the indexer forward data to itself? on Getting Data In. 02-02-2018 08:39 AM
- Tagged How does the indexer forward data to itself? on Getting Data In. 02-02-2018 08:39 AM
- Tagged How does the indexer forward data to itself? on Getting Data In. 02-02-2018 08:39 AM
- Posted How do I blacklist multiple events on same line: Can I use '-'? on Getting Data In. 11-20-2017 08:21 AM
- Tagged How do I blacklist multiple events on same line: Can I use '-'? on Getting Data In. 11-20-2017 08:21 AM
- Tagged How do I blacklist multiple events on same line: Can I use '-'? on Getting Data In. 11-20-2017 08:21 AM
- Posted Re: Can I use != in blacklist? on Getting Data In. 10-13-2017 06:57 AM
- Posted Re: Regex to find Account_Name's that end in a $ and \ isn't stopping it's special char nature on Splunk Search. 10-13-2017 06:30 AM
- Posted Re: Can I use != in blacklist? on Getting Data In. 10-13-2017 06:18 AM
- Posted Can I use != in blacklist? on Getting Data In. 10-12-2017 12:15 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-16-2020
01:14 PM
This worked great for me.
After I Americanized the date format.
... View more
05-14-2018
12:16 PM
1 Karma
Once Regex enters the fray under [WinEventLog://System], the other system (commas) is thrown out the window.
"You have to use exclusively just event code (like whitelist1), or key/value regexes (like whitelist2). You can't mix and match in the same input stanza".
Got that info from PeanutButterW0lf over on reddit.com/r/splunk, so props to him.
This works:
[WinEventLog://System]
disabled = 0
whitelist = EventCode="104|1074|2020|6008|6009|12295|29223|40960|40961"
whitelist1 = Type=/Error|Warning/
... View more
05-07-2018
11:31 AM
I only want Error and Warning events from Windows System logs, except for a couple of individual events (104 and 1074) which I want event though they're 'information' events.
[WinEventLog://System]
disabled = 0
whitelist1 = 104,1074
whitelist2 = Type=/Error|Warning/
If I have just whitelist 1, I get the 1074 events (which are informational) but when I add whitelist 2, I only get Error and Warning events but no longer get 1074 events. How to I get both?
... View more
- Tags:
- splunk-enterprise
02-06-2018
10:23 AM
I turned on auditing for .exe's so I can see psexec usage on servers. So I'm looking for some 4688 events (in windows security logs).I block most but I want to see the following:
whitelist2 = EventCode="4688" Message="(?:New Process Name:).+(?:cmd.exe)"
whitelist3 = EventCode="4688" Message="(?:New Process Name:).+(?:cscript.exe)"
whitelist4 = EventCode="4688" Message="(?:New Process Name:).+(?:wscript.exe)"
whitelist5 = EventCode="4688" Message="(?:New Process Name:).+(?:PsExec.exe)"
whitelist6 = EventCode="4688" Message="(?:Process Command Line:).+(?:cscript.exe?)"
It works on my servers but my Splunk indexer server now reports EVERY 4688 event (any .exe that is opened which is 100+ a minute) and I've added
blacklist1 = EventCode="4688"
to every inputs.conf file I can find on the server (including $SPLUNK_HOME/etc/system/local) and I can't get it to stop reporting 4688 events. I could just use host!=[servername] in a search head to not see those results but I'd rather just find a way to stop it entirely.
... View more
02-06-2018
08:04 AM
Its not a cluster. And I do not use a separate deployment server, I use the same server for that.
... View more
02-02-2018
08:39 AM
I want to blacklist some events that the Splunk server is sending to itself but my indexer isn't even running the SplunkForwarder Service and the inputs.conf file that I'd edit on my other servers doesn't effect what it's sending to itself.
Does it use an inputs.conf file in a different location?
Also, since it's not running the SplunkForwarder Service, what do I restart (if anything) after I edit the correct inputs.conf? Do I have to restart the Splunkd Service (ie: splunk itself)?
... View more
- Tags:
- indexer
- inputs.conf
11-20-2017
08:21 AM
I want to blacklist 4698, 4699, 4700, 4701,4702 if they contain 'Microsoft\Windows' in the Task Name.
Would either of these work?
blacklist1 = EventCode="4698,4699,4700,4701,4702" Message="(?:Task Name:).+(?:Microsoft\Windows?)"
or
blacklist1 = EventCode="4698-4702" Message="(?:Task Name:).+(?:Microsoft\Windows?)"
Or would I have to have a separate line for each, such as :
blacklist1 = EventCode="4698" Message="(?:Task Name:).+(?:Microsoft\Windows?)"
blacklist2 = EventCode="4699" Message="(?:Task Name:).+(?:Microsoft\Windows?)"
etc
... View more
10-13-2017
06:57 AM
I was really trying to do it in Blacklist due to some convoluted but prebuilt blacklists I inherited but I think I'll just have to build it out properly in the whitelist. It really is the best way to do it.
... View more
10-13-2017
06:30 AM
I really wanted that to work. But where ".\$" in Regex still gives me names not ending in $, | where Account_Name="$" | gives me zero results.
I'll play around with it and see though.
... View more
10-13-2017
06:18 AM
That does work but I have some inherited blacklists that would have made it easier (for other reasons not shown in the example) to do it in blacklist.
... View more
10-12-2017
12:15 PM
I only want to see cmd.exe and blacklist everything else for EventCode 4688.
blacklist = EventCode="4688" Message="(?:New Process Name:).+(?:cmd.exe)" will remove cmd.exe but 'Message!=' doesn't do the opposite.
... View more
10-12-2017
10:01 AM
I want to find all names in Account_Name that end with a $ and not ones that don't. IE: I want NAME1$ but not NAME2.
I've been trying regex Account_Name=".*\$" but am still getting NAME2.
Any ideas?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-22-2022
01:35 AM
|
