Getting Data In

How to configure inputs.conf to blacklist "Account Name" field for EventCode 4656?

egm05
Explorer

Splunk 6.2.6 inputs.conf blacklisting
Viewed numerous blogs and answers on similar topics, but can't come up the correct string for my need. Also looked at the inputs.conf spec.

Event 4656, the Account Name: field, I don't want to see computer names. In the "Account Name" field, all computers begin with a common word which I'll call "junk" for the purposes of this post and end with a "$".

blacklist = EventCode=4656 Message="Object Type:\s+(junk*$)"

I've tried a couple dozen other methods and iterations all with no success. Would appreciate any help as this item is crushing my license!

0 Karma

egm05
Explorer

Sorry for the 24 hour delay in posting this. Apparently my thanking two people for responding used the two daily posts I get. So here is the solution:

Thank you everyone for your thought, time and effort. Was my first post so I missed a few key things, but in the end this is the string that worked. I'm not sure why the solutions in the posted links above and from "maciep" didn't work. Here is what did:

blacklist1 = EventCode="4656" Message=".*[\S\s]*Account\sName:\s+[\S+]+[\$]"

Again, not sure why I had to get so specific and not be able to run the examples provided.

Thanks again everyone!

brandili
Explorer

This expression worked perfectly for what I needed. I was able to filter logon from users ending with "$". Thank you for your contribution.

0 Karma

egm05
Explorer

Thank you everyone for your thought, time and effort. Was my first post so I missed a few key things, but in the end this is the string that worked. I'm not sure why the solutions in the posted links above and from "maciep" didn't work. Here is what did:

blacklist1 = EventCode="4656" Message=".*[\S\s]*Account\sName:\s+[\S+]+[\$]"

Again, not sure why I had to get so specific and not be able to run the examples provided.

Thanks again everyone!

maciep
Champion

couple thoughts....first, is it possible there's another blacklist entry on the box for that event log that is winning over yours? Might be worth running btool just to be sure. No need to pull your hair out if nothing you change is going to matter anyway.

second, doesn't the Account info come before the Object Type in the message? Meaning, do you want something like this maybe?

blacklist = EventCode=4656 Message="Account Name:\s+(junk*$)"
0 Karma

egm05
Explorer

Thanks for the response. What you've posted as an example is what I would have figured would work. Fortunately my configuration is a smaller one and very easy to control since I'm the only admin. I did not have any competing blacklists. Excellent point I didn't think to consider. I did come across a working solution though which I'll post below. Thank you very much for you time and effort.

0 Karma

somesoni2
SplunkTrust
SplunkTrust
0 Karma

stephanefotso
Motivator

Hello! Please let's get a sample of your events.

Thanks

SGF
0 Karma

egm05
Explorer

Sorry for not posting a sample of event 4656. Should have been the first thing I did. I will know better for next time. Thank for the advise / response. Fortunately I now have my answer.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...