Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I blacklist multiple events on same line: Can I use '-'?

benbabich
Explorer
‎11-20-2017 08:21 AM

I want to blacklist 4698, 4699, 4700, 4701,4702 if they contain 'Microsoft\Windows' in the Task Name.

Would either of these work?
blacklist1 = EventCode="4698,4699,4700,4701,4702" Message="(?:Task Name:).+(?:Microsoft\Windows?)"
or
blacklist1 = EventCode="4698-4702" Message="(?:Task Name:).+(?:Microsoft\Windows?)"

Or would I have to have a separate line for each, such as :
blacklist1 = EventCode="4698" Message="(?:Task Name:).+(?:Microsoft\Windows?)"
blacklist2 = EventCode="4699" Message="(?:Task Name:).+(?:Microsoft\Windows?)"
etc

0 Karma
Reply

chanthongphiob
Path Finder
‎11-20-2017 01:47 PM

Since Message="(?:Task Name:).+(?:Microsoft\Windows?)" is in regex form, the "EventCode=" must use regex as well.

You will have to break up "EventCode=" into two separate blacklist. For example:

blacklist = EventCode="^469([8-9])$" Message=blah
blacklist1 = EventCode="^470([0-2])$" Message=blah

This Splunk Doc provides an example of whitelisting, but both are similar.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/MonitorWindowseventlogdata

0 Karma
Reply

aivarson_splunk
Splunk Employee
Splunk Employee
‎11-20-2017 10:56 AM

You can either filter by eventcode or regex. According to Splunk Docs...You can specify one of two formats:

One or more Event Log event codes or event IDs (Event Log code/ID format.)
One or more sets of keys and regular expressions. (Advanced filtering format.)
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.

Examples -
event code blacklist
blacklist1 = 1100,1101,4624,4634,4647-4649

regex blacklist
blacklist1 = EventCode=%^200$% User=%drodman%

You can specify up to 10 blacklist per input stanza. If you need more than this you might want to consider a whitelist strategy instead. You just whitelist the codes you need instead of blacklisting the ones you don't.

More details here: http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Event_Log_whitelist_and_blacklis...

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...