Here is how to filter from windows eventlogs from 6.4.2 inputs.conf.spec.
EventLog filtering
Filtering at the input layer is desirable to reduce the total processing load
in network transfer and computation on the Splunk nodes acquiring and
processing the data.
whitelist = | key=regex [key=regex]
blacklist = | key=regex [key=regex]
whitelist1 = | key=regex [key=regex]
blacklist1 = | key=regex [key=regex]
blacklist2 = | key=regex [key=regex]
These settings are optional.
Both numbered and unnumbered whitelists and blacklists support two formats: A
comma-separated list of event IDs and a list of key=regular expression pairs.
These two formats cannot be combined, only one may be used in a specific line.
Numbered whitelist settings are permitted from 1 to 9, so whitelist1 through
whitelist9 and blacklist1 through blacklist9 are supported.
If no white or blacklist rules are present, all events will be read.
Formats:
Event ID list format:
A comma-seperated list of terms.
Terms may be a single event ID (e.g. 6) or range of event IDs (e.g. 100-200)
Example: 4,5,7,100-200
This would apply to events with IDs 4, 5, 7, or any event ID between 100
and 200, inclusive.
Provides no additional functionality over the key=regex format, but may be
easier to understand than the equivalent:
List format: 4,5,7,100-200
Regex equivalent: EventCode=%^(4|5|7|1..|200)$%
key=regex format
A whitespace-separated list of event log components to match, and
regexes to match against against them.
There can be one match expression or multiple per line.
The key must belong to the set of valid keys provided below.
The regex consists of a leading delimiter, the regex expression, and a
trailing delimeter. Examples: %regex%, regex, "regex"
When multiple match expressions are present, they are treated as a
logical AND. In other words, all expressions must match for the line to
apply to the event.
If the value represented by the key does not exist, it is not considered
a match, regardless of the regex.
Example:
whitelist = EventCode=%^200$% User=%jrodman%
Include events only if they have EventCode 200 and relate to User jrodman
Valid keys for the regex format:
The following keys are equivalent to the fields which appear in the text of
the acquired events: Category CategoryString ComputerName EventCode
EventType Keywords LogName Message OpCode RecordNumber Sid SidType
SourceName TaskCategory Type User
There are two special keys that do not appear literally in the event.
$TimeGenerated : The time that the computer generated the event
$Timestamp: The time that the event was received and recorded by the
Event Log service.
EventType is only available on Server 2003 / XP and earlier
Type is only available on Server 2008 / Vista and later
For a more full definition of these keys, see the web documentation:
... View more