Hi there,
hi just can aid richgalloways idear of the inputs.conf you use is not in place.
The data you are talking about comes from a server wich is not your splunk server itself, since you sad the data is coming in from your forwarder. Even though your inputs.conf is written on the splunk-instance, it is deployed to your universal forwarders (UF) and needs to be active there. When you restart the splunk server, is it the splunk server or the universal forwarder after(!) it pulled the new configuration?
How are you deploying your inputs?. If you edit the inputs.conf in a deployment app ($SPLUNK_HOME$/etc/deployment-apps//local/inputs.conf) you can configure the app to autmaticly restart the Universal Forwarder after the app got redeployed. Everything to read should be found here:
http://docs.splunk.com/Documentation/Splunk/6.5.1/Updating/Createdeploymentapps
https://docs.splunk.com/Documentation/Splunk/6.5.1/Updating/Updateconfigurations
Besides a correct deployment process I've noticed something while going through the documentation about WindowsEvent-Monitoring. There is difference between the the two blacklist-filtering formats you can apply in your configuration. I'm pretty sure I've already used the 2nd "advanced filtering" mode already in some configurations. You can give it a try!
When using the Event Log code/ID format:
For multiple codes/IDs, separate the list with commas.
For ranges, use hyphens (for example "0-1000,5000-1000").
When using the advanced filtering format:
Use '=' between the key and the regular expression that represents your filter (for example "blacklist = EventCode=%^1([8-9])$%"
You can have multiple key/regular expression sets in a single advanced filtering entry. Splunk software conjuncts the sets logically. This means that the entry is valid only if all of the sets in the entry are true.
You can specify up to 10 blacklists per stanza by adding a number to the end of the blacklist attribute, for example blacklist1...blacklist9.
http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/MonitorWindowseventlogdata
Greetings
... View more