Help with configuring exclusions for certain error...

Tellon · ‎05-23-2014

My Goal is to exclude everything I already am for all servers, but only exclude EventIdentifier -2147482339 for two specific servers.

Before

Type=Error OR Type=Warning NOT EventIdentifier=1111 NOT EventIdentifier=1530 NOT EventIdentifier=36888 NOT EventIdentifier=-2046750718 NOT EventIdentifier=36887 host="*LYNC*" NOT EventIdentifier=1112 NOT EventIdentifier=-1073734824 Logfile=Application OR Logfile=System | dedup EventIdentifier sortby host | table Logfile EventIdentifier Message Type _time host

3 Results.

After

Type=Error OR Type=Warning NOT EventIdentifier=1111 NOT EventIdentifier=1530 NOT EventIdentifier=36888 NOT EventIdentifier=-2046750718 NOT EventIdentifier=36887 host="*LYNC*" NOT EventIdentifier=1112 NOT EventIdentifier=-1073734824 NOT EventIdentifier=-2147482339 AND (Host=A OR Host=B) Logfile=Application OR Logfile=System | dedup EventIdentifier sortby host | table Logfile EventIdentifier Message Type _time host

Expected 2 Results
Recieved 0 Results

What should I add for this?

lguinn2 · ‎05-23-2014

I would add in parenthesis to make my meaning explicit:

Type=Error OR Type=Warning NOT EventIdentifier=1111 NOT EventIdentifier=1530 NOT EventIdentifier=36888 NOT EventIdentifier=-2046750718 NOT EventIdentifier=36887 host="*LYNC*" NOT EventIdentifier=1112 NOT EventIdentifier=-1073734824 NOT (EventIdentifier=-2147482339 AND (Host=A OR Host=B)) Logfile=Application OR Logfile=System | dedup EventIdentifier sortby host | table Logfile EventIdentifier Message Type _time host

Help with configuring exclusions for certain errors.

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases