Hi,
I'm trying to use blacklist on the Universal Forwarder to prevent unwanted events from being sent and indexed. Splunk instance and UF are both version 6.1.3
On the machine with UF, I went to C:\Program Files\SplunkUniversalForwarder\etc\system\local
The inputs.conf file looks like this:
[default]
host = Win7HP8440p
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
So I added a stanza as shown in many models and now it looks like this:
[default]
host = Win7HP8440p
[WinEventLog://System]
disabled = false
blacklist1 = 7036
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
I rebooted the host with the UF and then checked on the Splunk instance and Event code 7036 keeps coming through.
I have tried many variations to match the examples I have seen ( like disabled = 0 or removing spaces around = signs etc.) but so far nothing seems to work.
Any suggestions?
hi
are you using the advanced filtering format
How do I check for that? I don't see anything in the docs.
Any reason to add 1 to blacklist? It could be simply "blacklist = 7036"
I've tried with and without the 1. I saw it as "blacklist1" in some examples.