Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Blacklist windows event log by Host Applicatio...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thund_ssi
Explorer
07-14-2020
07:00 PM
Hello all,
I would like to exclude the following windows event log on the universal forwarder.
07/15/2020 08:38:55 AM
LogName=Microsoft-Windows-PowerShell/Operational
SourceName=Microsoft-Windows-PowerShell
EventCode=4103
EventType=4
Type=Information
ComputerName=HA-AGM-DB-01.SSI.LOCAL
User=NOT_TRANSLATED
Sid=S-1-5-21-2993187273-2588912068-3154952105-14529
SidType=0
TaskCategory=Executing Pipeline
OpCode=To be used when operation is just executing a method
RecordNumber=90748
Keywords=None
Message=CommandInvocation(Out-Host): "Out-Host"
CommandInvocation(Out-Default): "Out-Default"
ParameterBinding(Out-Default): name="Transcript"; value="True"
Context:
Severity = Informational
Host Name = ApmPSHost
Host Version = 1.0
Host ID = 85e424db-4fce-46cb-90d4-bace72bb3e2a
Host Application = SWJobEngineWorker2.exe 3e167b33-0a26-4f7e-9964-e38b1e939cc6 6612 AgentPlugin SolarWinds.APM.Probes
Engine Version = 5.1.14393.3383
Runspace ID = 3c6aab92-96b5-464d-8659-0e81de6d4ec9
Pipeline ID = 1
Command Name =
Command Type = Script
Script Name =
Command Path =
Sequence Number = 193
User = xxxxx
Connected User =
Shell ID = Microsoft.PowerShell
User Data:
Tried with this blacklist :
blacklist = EventCode="4103" Message="Host\sApplication\s=*SolarWinds.APM.Probes"
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thund_ssi
Explorer
07-14-2020
11:09 PM
I got it:
blacklist1 = EventCode="4103" Message="Host Application =\s+.*SolarWinds.APM.Probes"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thund_ssi
Explorer
07-14-2020
11:09 PM
I got it:
blacklist1 = EventCode="4103" Message="Host Application =\s+.*SolarWinds.APM.Probes"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anmolpatel
Builder
07-14-2020
08:22 PM
*Updated* Have a try with this blacklist stanza:
blacklist1 = EventCode="4103" Message="Host Application\s=\s*.*SolarWinds\.APM\.Probes"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thund_ssi
Explorer
07-14-2020
08:32 PM
Thanks, but not working
Get Updates on the Splunk Community!
Detecting Remote Code Executions With the Splunk Threat Research Team
REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...
Observability | Use Synthetic Monitoring for Website Metadata Verification
If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
