hi niketnilay,

this doesn't seem to work for me.

Currently are you seeing all event codes from Security and not just 4663?

When you disable the WinEventLog://Security does it stop sending the events?

 [WinEventLog://Security]
 disabled = 1

Hello Guiseppe,

thanks for the reply.

From the documentation:

# Event Log filtering
#
# Filtering at the input layer is desirable to reduce the total
# processing load in network transfer and computation on the Splunk
# nodes that acquire and processing Event Log data.

whitelist = <list of eventIDs> | key=regex [key=regex]
blacklist = <list of eventIDs> | key=regex [key=regex]

[...]

* These settings are optional.
* Both numbered and unnumbered whitelists and blacklists support two formats:
  * A comma-separated list of event IDs.
  * A list of key=regular expression pairs.
  * You cannot combine these formats. You can use either format on a specific
    line.

so I adjusted my inputs.conf to

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
# only index events with these event IDs.
# whitelist = EventCode="4663"
whitelist = 4663
# exclude these event IDs from being indexed.
#blacklist = 2001-3000

but still with the same result. It can't be the regex because I actually don't want to mess with it when I can just take the super easy approach.

Hi elindemann,
I don't think that it's correct whitelist = 4663 but it should be better whitelist = EventCode=4663 or whitelist = EventCode\=4663.
In https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Inputsconf there is an example whitelist = EventCode=%^200$%
I usually don't filter events in Universal Forwarder but only on the Indexers.

Hello Guiseppe,

I tried whitelist = EventCode\=4663 and whitelist = EventCode=%^4663$% but both didn't work.

My problem is that I want to get that one EventCode, but it's generated with a lot of other noise around it that I don't want indexed, mostly because it would hit the liscense pretty hard without any good reason.

Do you know any other way that would be possible?

Hi elindemann,
It's possible and I did it, but I used a different approach: I filtered events on the indexers, I didn't use whitelist.
I know that this solves only the Splunk license problem and don't eliminate network traffic but gives me more control on the filter.
bye.
Giuseppe

Hi Guiseppe,

can you tell me how you did it?
I'm not that concerned about network traffic.
Just to be clear, I'm not using forwarders or any fancy setups. All I have is the Splunk server on one machine and the file server on another. The Splunk server is getting the events by itself and I want not all these events filtered.

maybe my first approach wasn't the right one?

I think that you should use a Universal Forwarder on the file server, in this way file transfer between file server and Splunk server is optimized in very many ways (compression, cache, bandwidth, etc...
Every way, to filter events (see http://docs.splunk.com/Documentation/Splunk/6.5.1/Forwarding/Routeandfilterdatad) you have to edit:
props.conf

[your_sourcetype]
TRANSFORMS-null= setnull

transforms.conf

[setnull]
REGEX = EventCode\=4663
DEST_KEY = queue
FORMAT = nullQueue

and restart Splunk

Bye.
Giuseppe