Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Parameter "blacklist" in inputs.conf

templier
Communicator
‎01-22-2014 04:51 AM

Hello, friends!

We have:
Splunk server (indexer) and computer with WinXP and UniversalForwarder.
The task was to remove some windows security events from Splunk indexer.
It was solved by using the parameter "blacklist" in inputs.conf on computer with WinXP.

  • inputs.conf

    [WinEventLog://Security]
    disabled = false
    blacklist = 538,540

And all that is needed work, the data came from the EventLog except the two specified ID (538 and 540).

The problem started when I decided to add a third ID (576).
I change the inputs.conf:

[WinEventLog://Security]
disabled = false
blacklist = 538,540,576

Save, restart splunk service.

And any event from the EventLog from this machine stopped coming to indexer.
If i change inputs.conf to original appearance (when two of Event) - all working again as necessary.

What can be caused by this problem?

Thx!

Reply
1 Solution
Solved! Jump to solution
Solution

bshuler_splunk
Splunk Employee
Splunk Employee
‎03-12-2014 06:04 AM

The blacklist parameter is a regular expression:

http://regexone.com

This worked in my test:

blacklist = 538|540|576

Here is the documentation for the parameter:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

View solution in original post

Reply
Solved! Jump to solution
Solution

bshuler_splunk
Splunk Employee
Splunk Employee
‎03-12-2014 06:04 AM

The blacklist parameter is a regular expression:

http://regexone.com

This worked in my test:

blacklist = 538|540|576

Here is the documentation for the parameter:

http://docs.splunk.com/Documentation/Splunk/latest/admin/Inputsconf

Reply
Solved! Jump to solution

templier
Communicator
‎03-31-2014 06:19 AM

Thx. Сheck shortly.
The last time was not the time to do it

0 Karma
Reply
Solved! Jump to solution

rakesh_498115
Motivator
‎03-12-2014 05:15 AM

have u tried blacklist =(576|538|540)

0 Karma
Reply
Solved! Jump to solution

templier
Communicator
‎03-12-2014 05:13 AM

Of course I checked a security log for the presence of this ID's. In security log entry is present, they are not present in splunk.

0 Karma
Reply
Solved! Jump to solution

Pierceyuk
Path Finder
‎03-12-2014 03:24 AM

Have you checked the event log to see if there are events not with those ID's? just want to rule out the obvious etc...

0 Karma
Reply
Solved! Jump to solution

templier
Communicator
‎01-22-2014 10:17 PM

blacklist = 576,538,540 and blacklist = 576,538 - the same result 😞
As an option to make the whitelist with all EventID Except for these ID, but will try it later. I think this can not be caused by the free license.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-22-2014 10:58 AM

Just to be sure, can you try changing the order of event ids in blacklist?

0 Karma
Reply
Solved! Jump to solution

templier
Communicator
‎01-22-2014 05:17 AM

Yes, other data from this machine come correct. Disappears only EventLog.

0 Karma
Reply
Solved! Jump to solution

laserval
Communicator
‎01-22-2014 05:00 AM

Do you get other events from the forwarder? Can you see any errors or warnings from the forwarder when searching in index=_internal?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...