topic How to edit inputs.conf to blacklist an eventcode? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-to-edit-inputs-conf-to-blacklist-an-eventcode/m-p/316734#M59225 <P>I have the following inputs.conf stanza:</P> <PRE><CODE>[WinEventLog://Security]
 disabled=0
 current_only=1
 blacklist1=EventCode=4662 Message=”Object Type:s+(?!groupPolicyContainer)” </CODE></PRE> <P>Still we are receiving all the eventcode. Could you please help what else changes has to be made?</P> <P>Note: We are making the changes in the deployment server for the blacklist</P> Wed, 24 May 2017 18:32:36 GMT t_gayathirik 2017-05-24T18:32:36Z How to edit inputs.conf to blacklist an eventcode? https://community.splunk.com/t5/Getting-Data-In/How-to-edit-inputs-conf-to-blacklist-an-eventcode/m-p/316734#M59225 <P>I have the following inputs.conf stanza:</P> <PRE><CODE>[WinEventLog://Security]
 disabled=0
 current_only=1
 blacklist1=EventCode=4662 Message=”Object Type:s+(?!groupPolicyContainer)” </CODE></PRE> <P>Still we are receiving all the eventcode. Could you please help what else changes has to be made?</P> <P>Note: We are making the changes in the deployment server for the blacklist</P> Wed, 24 May 2017 18:32:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-inputs-conf-to-blacklist-an-eventcode/m-p/316734#M59225 t_gayathirik 2017-05-24T18:32:36Z Re: How to edit inputs.conf to blacklist an eventcode? https://community.splunk.com/t5/Getting-Data-In/How-to-edit-inputs-conf-to-blacklist-an-eventcode/m-p/316735#M59226 <P>what is the full path to file of the above inputs.conf?<BR /> are you leveraging the Splunk TA for Windows?</P> Sat, 27 May 2017 01:04:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-inputs-conf-to-blacklist-an-eventcode/m-p/316735#M59226 adonio 2017-05-27T01:04:11Z Re: How to edit inputs.conf to blacklist an eventcode? https://community.splunk.com/t5/Getting-Data-In/How-to-edit-inputs-conf-to-blacklist-an-eventcode/m-p/316736#M59227 <P>Pulled from my working blacklist of that precise same EventCode and scenario:</P> <PRE><CODE>blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)" </CODE></PRE> <P>Not sure if the differences are copy/paste issues or if they're broken in your stanza, but the above has worked for me. Note the <CODE>\s+</CODE>.</P> Sat, 27 May 2017 02:27:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-edit-inputs-conf-to-blacklist-an-eventcode/m-p/316736#M59227 Richfez 2017-05-27T02:27:36Z