https://community.splunk.com/t5/All-Apps-and-Add-ons/REGEX-in-blacklist-doesn-t-work-as-intended/m-p/559284#M66076 <P>Have you tried using erex to help build your regex? It's a hidden gem, and extremely useful.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Erex" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Erex</A></P><P>&nbsp;</P> Tue, 13 Jul 2021 15:38:46 GMT codebuilder 2021-07-13T15:38:46Z https://community.splunk.com/t5/All-Apps-and-Add-ons/REGEX-in-blacklist-doesn-t-work-as-intended/m-p/559254#M66074 <P>Hello folks,</P><P>&nbsp;</P><P>I encountered a problem when trying to filter events from WinEventLog and EventCode 4662.&nbsp; When I use the next regex in a tester or in a SPL with a data set unfiltered, it works fine. But using it in a blacklist only allows a fraction of the messages when "Default Property Set" is in the first row after Properties.</P><P>&nbsp;</P><P>blacklist9 = EventCode="4662" Message="(Tipo\sde\sobjeto:(?!\s*groupPolicyContainer))[\s\S]*(Propiedades:(?![\s\S]*Default Property Set))"<BR /><BR />I tried some changes to the regex but I do not find a solution for this. Thanks for your time.</P> Tue, 13 Jul 2021 12:06:38 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/REGEX-in-blacklist-doesn-t-work-as-intended/m-p/559254#M66074 osakachan 2021-07-13T12:06:38Z https://community.splunk.com/t5/All-Apps-and-Add-ons/REGEX-in-blacklist-doesn-t-work-as-intended/m-p/559284#M66076 <P>Have you tried using erex to help build your regex? It's a hidden gem, and extremely useful.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Erex" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Erex</A></P><P>&nbsp;</P> Tue, 13 Jul 2021 15:38:46 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/REGEX-in-blacklist-doesn-t-work-as-intended/m-p/559284#M66076 codebuilder 2021-07-13T15:38:46Z https://community.splunk.com/t5/All-Apps-and-Add-ons/REGEX-in-blacklist-doesn-t-work-as-intended/m-p/559332#M66085 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/150269">@osakachan</a>&nbsp; Can you check are you following allowed regex its little different from PCRE-&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.1/admin/Inputsconf#Event_Log_allow_list_and_deny_list_formats" target="_blank">inputs.conf - Splunk Documentation</A></P> Wed, 14 Jul 2021 01:26:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/REGEX-in-blacklist-doesn-t-work-as-intended/m-p/559332#M66085 venkatasri 2021-07-14T01:26:40Z