Getting Data In

Blacklist sometimes not working

tdewberry
New Member

I have this in my windows DC server with Universal Forwarder v 6.1.1.
..\Splunk_TA_Windows\local\inputs.conf file:

[WinEventLog://Security]
disabled = 0
current_only=1
blacklist1=EventCode=4662
blacklist2=EventCode=566

Yet event 4662 gets indexed sometimes. Any idea? The event 4662 is generated around 1000+ per second. Is the forwarder not keeping up with this rate of events?

Tags (3)
0 Karma

kserra_splunk
Splunk Employee
Splunk Employee

The issue here is that the blacklist requires delimiters around the regex in order for it to work. Try changing blacklist1=EventCode="4662" , for more detail please see the following post

http://answers.splunk.com/answers/148883/what-is-wrong-with-my-inputsconf-eventcode-blacklist

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...