- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do I edit my wineventlog configuration to ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I edit my wineventlog configuration to blacklist a specific SourceName?
Hello, everyone.
I am having trouble finding a solution to blacklisting a SourceName called "SCLIntra Mobile Sync Service" on my forwarders. Anyone?
inputs.conf
[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
blacklist = SourceName="SCLIntra Mobile Sync Service"
Thanks,
James
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rmsit,
Try this;
blacklist = SourceName=\"SCLIntra\sMobile\sSync\sService\"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is normal Windows event log data. Nothing else is blacklisted/whitelisted for the Application log.
1/14/16
9:56:32.000 AM
01/14/2016 09:56:32 AM
LogName=Application
SourceName=SCLIntra Mobile Sync Service
EventCode=100
EventType=2
Severity = Error
SourceName = SCLIntra Mobile Sync Service
host = v1651ancay014
index = wineventlog
linecount = 55
source = WinEventLog:Application
sourcetype = WinEventLog:Application
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its weird, try this, tested on Application logs this time.
blacklist = SourceName=%^SLCIntra\sMobile\ssSync\ssService$%
EDIT: Had a typo on SLCIntra.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Spoke too soon...still not working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is working on my events with Splunk 6.3.x, was't working till I've found a "." at the end of the string.
blacklist = SourceName="SCLIntra Mobile Sync Service\."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I will try it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am still seeing this SoureName from my forwarder. Is it possible the UF cannot filter it? The UF is version 6.3.1.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Universal Forwarders can filter wineventlogs since Splunk 6+.
Can you paste an event sample ? Are u black/whitelisting any other thing ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works! Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm glad it worked out. Remember its key=regex when you black/whitelist.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
