- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is there an easy way to use blacklist in inputs.co...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there an easy way to use blacklist in inputs.conf to filter the input itself in real-time like we would do for a Windows event log?
Blacklisting works to blacklist a file or directory... but is there an easy way using blacklisting in inputs.conf to filter the input itself in real-time just like we would do from a Windows event log? To drop before indexing a Windows log, we would :
blacklist1 = EventCode="46**" Message="Account\sName:.*[\S\s]*Account\sName:\s+[\S+]+[\$]"
blacklist2 = EventCode="47**" Message="Logon\sAccount:.*[\S\s]*[dD]ocs_.*"
Is there a way to do something similar with a regular file input like in an IIS log to drop everything that ends in a .*\.jpg|png?
I know we can do it through props.confs and transforms files, but it would sure be easier to understand and deploy if only in the inputs.conf. The Windows event log filtering works very very well and would love to keep the configs similar.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually this is only possible for Event Log events - because Splunk has to parse them, even on a Universal Forwarder. Since Splunk has to translate the event log binary to text before it is forwarded, it seems logical to add the capability to filter the events locally.
However, no other data inputs are parsed during the inputs phase. Therefore, the events cannot be filtered using a Universal Forwarder.
If you must filter the events locally, you can use a Heavy Forwarder, which processes both the input phase and the parsing phase before forwarding. Be aware that this will increase the processing load on the local machine, which is usually a bad idea for a forwarder that lives on a production server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Obviously the forwarders have the capability to do regex on the event itself because the Windows Inputs using this method work like a champ. I just don't know if it is enabled on file inputs or what the syntax would be to specify looking at the lint itself and not the file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I know, that is not possible (event level filter) with just inputs.conf. I would love to hear if anyone says otherwise.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
