Event Log filtering
Filtering at the input layer is desirable to reduce the total
processing load in network transfer and computation on the Splunk
nodes that acquire and processing Event Log data.
whitelist = | key=regex [key=regex]
blacklist = | key=regex [key=regex]
whitelist1 = | key=regex [key=regex]
whitelist2 = | key=regex [key=regex]
whitelist3 = | key=regex [key=regex]
whitelist4 = | key=regex [key=regex]
whitelist5 = | key=regex [key=regex]
whitelist6 = | key=regex [key=regex]
whitelist7 = | key=regex [key=regex]
whitelist8 = | key=regex [key=regex]
whitelist9 = | key=regex [key=regex]
blacklist1 = | key=regex [key=regex]
blacklist2 = | key=regex [key=regex]
blacklist3 = | key=regex [key=regex]
blacklist4 = | key=regex [key=regex]
blacklist5 = | key=regex [key=regex]
blacklist6 = | key=regex [key=regex]
blacklist7 = | key=regex [key=regex]
blacklist8 = | key=regex [key=regex]
blacklist9 = | key=regex [key=regex]
These settings are optional.
Both numbered and unnumbered whitelists and blacklists support two formats:
A comma-separated list of event IDs.
A list of key=regular expression pairs.
You cannot combine these formats. You can use either format on a specific
line.
Numbered whitelist settings are permitted from 1 to 9, so whitelist1 through
whitelist9 and blacklist1 through blacklist9 are supported.
If no whitelist or blacklist rules are present, the input reads all events.
http://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf#Windows_Event_Log_Monitor
... View more