Solved: How to create more than 10 blacklists for the same...

cjaramilloc · ‎02-07-2017

Hello

Anybodyw know how to create more than 10 blacklists for the same input in windows events monitoring?

According to documentation you can only use blacklist1 through blacklist9: http://docs.splunk.com/Documentation/Splunk/6.5.2/admin/Inputsconf#Windows_Event_Log_Monitor

I have a small license and every once in a while I notice some events I don’t need, and I add them to the blacklist:

[WinEventLog:Security]
disabled = 0
start_from = oldest
blacklist=5XX5,4XX8,4XX6
blacklist1=EventCode="4XX1" Message="\b. *0xO"
...
blacklist9=EventCode="5XX6" Message="Audit Sucess"

Now I'm trying to add a blacklist10 but I can’t. Do you guys know a workaround?, maybe using transforms.

Thank you

Christian

woodcock · ‎02-07-2017

If you have more than one blacklist, you must number them all, starting at 1. In the blacklist, you can have ranges (separated by hyphens) or individuals (separated by commas) or both. So combine as much as you can on a single line to make room for other blacklists.

blacklist1 = 5156,5158,4656,4700-5600
blacklist2 = EventCode=%^4689$% Message=%SplunkUniversalForwarder%

Additionally, the "RegEx" used, is not normal RegEx; read the documentation here:

http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf#Windows_Event_Log_Monitor
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

View solution in original post

aaraneta_splunk · ‎03-11-2017

@cjaramilloc - Did the answer provided by woodcock help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

koshyk · ‎02-08-2017

Do you have heavy forwarder before your indexer? (or even indexer is Ok, but it will be cpu intensive). YOu can do props/transforms at message level within Heavy Forwarder (or indexer) and put into nullqueue so it is NOT indexed

woodcock · ‎02-07-2017

If you have more than one blacklist, you must number them all, starting at 1. In the blacklist, you can have ranges (separated by hyphens) or individuals (separated by commas) or both. So combine as much as you can on a single line to make room for other blacklists.

blacklist1 = 5156,5158,4656,4700-5600
blacklist2 = EventCode=%^4689$% Message=%SplunkUniversalForwarder%

Additionally, the "RegEx" used, is not normal RegEx; read the documentation here:

http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Inputsconf#Windows_Event_Log_Monitor
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

cjaramilloc · ‎03-13-2017

I've already did the combinations, but I still need room for more

woodcock · ‎10-10-2019

So what did it finally look like?

somesoni2 · ‎02-07-2017

You should be able to use syntax like this for remaining blacklist/event filter (using props/transforms on Indexer/Heavy forwarder).
https://answers.splunk.com/answers/107605/filtering-events-out-via-props-conf-and-transforms-conf.ht...

How to create more than 10 blacklists for the same input

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!