timothy_
Contributor
Contributor

log insight filters

Jump to solution

hi,

we are in the process of testing out log insights as our global log repository and are running into some issues which are likely syntax but I'm just not sure.

one of the servers we are testing with throws a whole lot of v4_GUID events, and we want to prevent those from being logged at ale

at the agent configuration we are trying:

[winlog|db-windows-application]

channel=Application

enabled=yes

blacklist = event_type == "v4_f39b2ea6"

but this doesn't seem to work

then at the filter query level I've tried "event_type" "is not" "v4_*" which also does not seem to work...

can anyone help out with some pointers as to why neither approach is working?

Thanks in advance

Tags (3)
0 Kudos
1 Solution

Accepted Solutions
timothy_
Contributor
Contributor

this ended up being a syntax error -_-

the corrected form is:

[winlog|db-windows-application]

channel=Application

enabled=yes

blacklist=event_type == "v4_f39b2ea6", event_type == "v4_3fd251c1"

View solution in original post

0 Kudos
4 Replies
MichaelRyom
Hot Shot
Hot Shot

Hi

Afaik, event type is generated by log insight when ingested. So not at source. Also the event type is only unqie to your installation.

Blogging at https://MichaelRyom.dk
0 Kudos
MichaelRyom
Hot Shot
Hot Shot

Normally when filters are used its to include something. I have not used it to exclude stuff.

Also could you provide an example of what you dont want getting into log insight?p

Blogging at https://MichaelRyom.dk
0 Kudos
timothy_
Contributor
Contributor

this ended up being a syntax error -_-

the corrected form is:

[winlog|db-windows-application]

channel=Application

enabled=yes

blacklist=event_type == "v4_f39b2ea6", event_type == "v4_3fd251c1"

0 Kudos