Getting Data In

How to blacklist a single host for a single event?

knappra
Engager

I'm currently collecting Powershell event 4104 across all devices on the network and one sysadmin host has been found to be exceptionally chatty. I would like to blacklist event 4104 on that box while allowing it on all the rest. I've added the event id to the blacklist in the offending machine's etc/system/local/inputs.conf, as it should take precedence over the app's inputs.conf file, but I'm still receiving events. Can someone point me in the right direction?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

On your Indexer/Heavy forwarder (node where data parsing happens), add this

props.conf

[host::yourchattyhostname]
TRANSFORMS-remove4104=remove4104

transforms.conf

[remove4104]
REGEX=(?m)^EventCode=4104   ***
DEST_KEY=queue
FORMAT=nullQueue
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...