Splunk 6.2.6 inputs.conf blacklisting
Viewed numerous blogs and answers on similar topics, but can't come up the correct string for my need. Also looked at the inputs.conf spec.
Event 4656, the Account Name: field, I don't want to see computer names. In the "Account Name" field, all computers begin with a common word which I'll call "junk" for the purposes of this post and end with a "$".
blacklist = EventCode=4656 Message="Object Type:\s+(junk*$)"
I've tried a couple dozen other methods and iterations all with no success. Would appreciate any help as this item is crushing my license!
↧