I want to blacklist 4698, 4699, 4700, 4701,4702 if they contain 'Microsoft\Windows' in the Task Name.
Would either of these work?
blacklist1 = EventCode="4698,4699,4700,4701,4702" Message="(?:Task Name:).+(?:Microsoft\Windows?)"
or
blacklist1 = EventCode="4698-4702" Message="(?:Task Name:).+(?:Microsoft\Windows?)"
Or would I have to have a separate line for each, such as :
blacklist1 = EventCode="4698" Message="(?:Task Name:).+(?:Microsoft\Windows?)"
blacklist2 = EventCode="4699" Message="(?:Task Name:).+(?:Microsoft\Windows?)"
etc
Since Message="(?:Task Name:).+(?:Microsoft\Windows?)" is in regex form, the "EventCode=" must use regex as well.
You will have to break up "EventCode=" into two separate blacklist. For example:
blacklist = EventCode="^469([8-9])$" Message=blah
blacklist1 = EventCode="^470([0-2])$" Message=blah
This Splunk Doc provides an example of whitelisting, but both are similar.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/MonitorWindowseventlogdata
You can either filter by eventcode or regex. According to Splunk Docs...You can specify one of two formats:
One or more Event Log event codes or event IDs (Event Log code/ID format.)
One or more sets of keys and regular expressions. (Advanced filtering format.)
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.
Examples -
event code blacklist
blacklist1 = 1100,1101,4624,4634,4647-4649
regex blacklist
blacklist1 = EventCode=%^200$% User=%drodman%
You can specify up to 10 blacklist per input stanza. If you need more than this you might want to consider a whitelist strategy instead. You just whitelist the codes you need instead of blacklisting the ones you don't.
More details here: http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Event_Log_whitelist_and_blacklis...