Solved: How to blacklist application event level "Informat...

sim_tcr · ‎05-11-2016

Hello,

How to blacklist application event Level "Information" on Windows 2012 servers.

Already tried:

[WinEventLog:Application]
blacklist = EventType=Information
sourcetype = applicationerrors
disabled = 0
index = osgpp
disabled = false
crcSalt=

[WinEventLog:Application]
blacklist = EventType=0
sourcetype = applicationerrors
disabled = 0
index = osgpp
disabled = false
crcSalt=

sim_tcr · ‎06-01-2016

[WinEventLog://Application]
blacklist = Type="(Information)"
sourcetype = applicationerrors
disabled = 0
index = osgpp
disabled = false
crcSalt=<SOURCE>

Above fixed my issue

View solution in original post

sim_tcr · ‎06-01-2016

[WinEventLog://Application]
blacklist = Type="(Information)"
sourcetype = applicationerrors
disabled = 0
index = osgpp
disabled = false
crcSalt=<SOURCE>

Above fixed my issue

spayneort · ‎05-13-2016

Try changing it to:

[WinEventLog://Application]

instead of:

[WinEventLog:Application]

sim_tcr · ‎05-20-2016

Tried below and made sure that forwarder was restarted after both changes. Still not working. Still getting Information events.
our server are windows 2012

[WinEventLog://Application]
blacklist = Type=0
sourcetype = applicationerrors
disabled = 0
index = osgpp
disabled = false
crcSalt=<SOURCE>

and

[WinEventLog://Application]
blacklist = Type=Information
sourcetype = applicationerrors
disabled = 0
index = osgpp
disabled = false
crcSalt=<SOURCE>

spayneort · ‎05-18-2016

The EventType filter is for 2003 and earlier. Use Type for 2008 and later. The Microsoft documentation says that the numeric value for Type "Information" is 4.

http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/MonitorWindowseventlogdata

Win32_NTLogEvent class

sim_tcr · ‎05-18-2016

Tried below and made sure that forwarder was restarted after both changes. Still not working. Still getting Information events.

[WinEventLog://Application]
blacklist = EventType=0
sourcetype = applicationerrors
disabled = 0
index = osgpp
disabled = false
crcSalt=<SOURCE>

and

[WinEventLog://Application]
blacklist = EventType=Information
sourcetype = applicationerrors
disabled = 0
index = osgpp
disabled = false
crcSalt=<SOURCE>

woodcock · ‎05-11-2016

This needs to be deployed to all your forwarders and the Splunk forwarder instance on those servers must be restarted. Even so, only events that are forwarded AFTER the restart will be effected; "wrong" events forwarded before will still be there. You can use the delete command to hide them.

yonick · ‎05-20-2016

Have you had a look at this question?

https://answers.splunk.com/answers/152131/filter-windows-eventcode-using-blacklist-and-whitelist.htm...

sim_tcr · ‎05-12-2016

But which one of them is correct?
I tried both.
Forwarders must have restarted whenever i deployed these. I pushed these through deployment server.

How to blacklist application event level "Information" on Windows 2012 servers?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!