I'm running the Splunk Universal Forwarder and I've configured the inputs.conf for the Splunk Add-on for Microsoft Windows to monitor the Security event logs for Windows.
At this time though I'm looking to blacklist / not index any security event that displays a specific account name. The account name is "wilmsplunksvc".
I've went ahead and created a blacklist within the inputs.conf without any luck. Below is the syntax I used.
blacklist4 = Account_Name="wilmsplunksvc"
Any assistance would be greatly appreciated.
Look at this answer: https://answers.splunk.com/answers/417989/how-to-edit-my-wineventlog-blacklist-configuration.html
Maybe try this:
blacklist= Message="Account\sName:\s+wilmsplunksvc"
Look at this answer: https://answers.splunk.com/answers/417989/how-to-edit-my-wineventlog-blacklist-configuration.html
Maybe try this:
blacklist= Message="Account\sName:\s+wilmsplunksvc"
Thank you for your quick response. The syntax you provided did the trick.