https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-specific-accounts-in-Windows-security-log-event/m-p/217354#M42774 <P>Yes it is case sensitive<BR /> try this one <BR /> blacklist1 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\taccount1\s" </P> <P>blacklist2 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\taccount2\s" </P> <P>blacklist3 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\tComputername$\s" </P> <P>Or you can combine accounts by using pipe |.</P> Fri, 09 Mar 2018 05:23:22 GMT lredij 2018-03-09T05:23:22Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-specific-accounts-in-Windows-security-log-event/m-p/217349#M42769 <P>I've seen several posts here, but none that really have a concrete answer on this. I'm trying to blacklist certain accounts in my inputs.conf on the Splunk universal forwarder for Windows event id 4663 (object access).</P> <P>Does anyone know the correct way to blacklist several account names from appearing in the data forwarded to Splunk? I've seen some people say key off of user, others with message= followed by some regex with Account Name.</P> <P>The below obviously does not work.</P> <PRE><CODE>blacklist = EventCode="4663" Account Name="User, SERVER$, UserAccount1, UserAccount2" </CODE></PRE> Tue, 03 Jan 2017 14:47:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-specific-accounts-in-Windows-security-log-event/m-p/217349#M42769 splunkbacon 2017-01-03T14:47:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-specific-accounts-in-Windows-security-log-event/m-p/217350#M42770 <P>This seems to be a common misconception about filtering Windows Event log inputs. You can't use any field that you want as a key. Fields are not keys; in fact, fields do not exist at input time. You can find the list of keys in the docs <A href="http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/MonitorWindowseventlogdata#Create_advanced_filters_with_.27whitelist.27_and_.27blacklist.27">here</A>.<BR /> If the information that you want can be found in any of these keys, you can write a <EM>regular expression</EM> that matches. For example:</P> <PRE><CODE>blacklist = EventCode="4663" Message="User|SERVER$|UserAccount1|UserAccount2" </CODE></PRE> Tue, 03 Jan 2017 19:05:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-specific-accounts-in-Windows-security-log-event/m-p/217350#M42770 lguinn2 2017-01-03T19:05:13Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-specific-accounts-in-Windows-security-log-event/m-p/217351#M42771 <P>Thank you. I didn't try exactly what you have there but ended up getting this to work earlier.</P> <PRE><CODE>blacklist= Message="Account\sName:\s+(account1|SYSTEM|account2|(Computername\$))" </CODE></PRE> <P>Does anyone know if these entries are case sensitive or not?</P> Tue, 03 Jan 2017 19:11:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-specific-accounts-in-Windows-security-log-event/m-p/217351#M42771 splunkbacon 2017-01-03T19:11:23Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-specific-accounts-in-Windows-security-log-event/m-p/217352#M42772 <P>Thank you. I was able to get something similar to work after posting this.</P> <P>Does anyone know if these regex are case sensitive by default? I believe we can't follow the regex with /i to ignore case?</P> Tue, 03 Jan 2017 19:12:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-specific-accounts-in-Windows-security-log-event/m-p/217352#M42772 splunkbacon 2017-01-03T19:12:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-specific-accounts-in-Windows-security-log-event/m-p/217353#M42773 <P>Regular expressions are always case sensitive. Since Splunk uses PCRE, you should be able to make a regular expression case-INsensitive by putting <CODE>(?i)</CODE> at the beginning of the regex.</P> Tue, 03 Jan 2017 20:50:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-specific-accounts-in-Windows-security-log-event/m-p/217353#M42773 lguinn2 2017-01-03T20:50:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-specific-accounts-in-Windows-security-log-event/m-p/217354#M42774 <P>Yes it is case sensitive<BR /> try this one <BR /> blacklist1 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\taccount1\s" </P> <P>blacklist2 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\taccount2\s" </P> <P>blacklist3 = EventCode="4663" ComputerName=" Computer.name" Message="\sAccount Name:\t\tComputername$\s" </P> <P>Or you can combine accounts by using pipe |.</P> Fri, 09 Mar 2018 05:23:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-blacklist-specific-accounts-in-Windows-security-log-event/m-p/217354#M42774 lredij 2018-03-09T05:23:22Z