Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows inputs.conf blacklist testing process

adalbor
Builder
‎12-03-2019 08:14 AM

Does anyone out there have a best practice for testing Windows event inputs.conf blacklist entries?

What actual event/part of the event is used for testing? The data in the splunk event gathered from a search? Or am I going straight to the windows box and copying the text from the General tab or the Friendly view?

I use regex101 and regexr and even sublime when needed to test regex's but I feel like looking through multiple posts everyone achieves their goals a little bit differently.

Would be great if Splunk provided a step by step document on how best to achieve this and ensure it works.

Thanks,
Andrew

0 Karma
Reply

DavidHourani
Super Champion
‎12-03-2019 08:22 AM

Hi @adalbor,

This is very well details here :
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Configuration_set...
Have a look at the blacklist section there.

You can even find advanced configurations and examples here :
https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/MonitorWindowseventlogdata#Create_advanced_f...

You can use an example event from Splunk to test your regex. After searching for the event you wish to test out, add |table _raw to your query to see the raw log line.

Let me know if you need more details.

Cheers,
David

Reply

adalbor
Builder
‎12-03-2019 08:29 AM

Thanks for the advice on using the _raw.

I've looked at the official documentation quite a few times and there is still left to be desired. It goes into some simple use cases but nothing actually advanced in my opinion.

0 Karma
Reply

DavidHourani
Super Champion
‎12-03-2019 08:33 AM

yeah.. It's called advanced in the documentation, but as usual the "advanced" that is documented is only there to help build things... surely nothing compared to what you can do with ninja skills and good imagination.

Anyway let me know if you still anything else and please accept the answer if it was helpful 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...