Getting Data In

Parameter "blacklist" in inputs.conf

templier
Communicator

Hello, friends!

We have:
Splunk server (indexer) and computer with WinXP and UniversalForwarder.
The task was to remove some windows security events from Splunk indexer.
It was solved by using the parameter "blacklist" in inputs.conf on computer with WinXP.

  • inputs.conf

    [WinEventLog://Security]
    disabled = false
    blacklist = 538,540

And all that is needed work, the data came from the EventLog except the two specified ID (538 and 540).

The problem started when I decided to add a third ID (576).
I change the inputs.conf:

[WinEventLog://Security]
disabled = false
blacklist = 538,540,576

Save, restart splunk service.

And any event from the EventLog from this machine stopped coming to indexer.
If i change inputs.conf to original appearance (when two of Event) - all working again as necessary.

What can be caused by this problem?

Thx!

1 Solution

bshuler_splunk
Splunk Employee
Splunk Employee

The blacklist parameter is a regular expression:

http://regexone.com

This worked in my test:

blacklist = 538|540|576

Here is the documentation for the parameter:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

View solution in original post

bshuler_splunk
Splunk Employee
Splunk Employee

The blacklist parameter is a regular expression:

http://regexone.com

This worked in my test:

blacklist = 538|540|576

Here is the documentation for the parameter:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

templier
Communicator

Thx. Сheck shortly.
The last time was not the time to do it

0 Karma

rakesh_498115
Motivator

have u tried blacklist =(576|538|540)

0 Karma

templier
Communicator

Of course I checked a security log for the presence of this ID's. In security log entry is present, they are not present in splunk.

0 Karma

Pierceyuk
Path Finder

Have you checked the event log to see if there are events not with those ID's? just want to rule out the obvious etc...

0 Karma

templier
Communicator

blacklist = 576,538,540 and blacklist = 576,538 - the same result 😞
As an option to make the whitelist with all EventID Except for these ID, but will try it later. I think this can not be caused by the free license.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Just to be sure, can you try changing the order of event ids in blacklist?

0 Karma

templier
Communicator

Yes, other data from this machine come correct. Disappears only EventLog.

0 Karma

laserval
Communicator

Do you get other events from the forwarder? Can you see any errors or warnings from the forwarder when searching in index=_internal?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...