topic How do you filter custom events in Windows Security log using regular expression in blacklist? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-do-you-filter-custom-events-in-Windows-Security-log-using/m-p/427724#M74934 <P>Hello,</P> <P>We have Splunk Enterprise 7.2 with Deployment Server role and Splunk Universal forwarder on a Windows SQL server.</P> <P>The SQL server has custom event in Windows Security Log.</P> <P>Below is a portion of the Event Message.</P> <P>I need to create the blacklist entry in the inputs.conf file to filter out events where two patterns are match ing at the same time.</P> <P>"class_type:LX" AND "server_principal_name:DOMAIN1\"<BR /> The second pattern is 3 lines below of the first pattern.</P> <P>Any help will be greatly appreciated.</P> <P>Thank you,</P> <P>Joseph</P> <PRE><CODE>session_id:174 server_principal_id:274 database_principal_id:0 target_server_principal_id:0 target_database_principal_id:0 object_id:0 user_defined_event_id:0 transaction_id:0 class_type:LX permission_bitmask:00000000000000000000000000000000 sequence_group_id:A842D899-40A5-491E-886C-A8E7F7682BDD session_server_principal_name:DOMAIN1\sqlservice server_principal_name:DOMAIN1\sqlservice server_principal_sid:010500000000000515000000093a2a243fad146207e53b2b2f0a0000 database_principal_name: target_server_principal_name: target_server_principal_sid: target_database_principal_name: </CODE></PRE> Tue, 29 Sep 2020 22:57:18 GMT jzinguer 2020-09-29T22:57:18Z How do you filter custom events in Windows Security log using regular expression in blacklist? https://community.splunk.com/t5/Getting-Data-In/How-do-you-filter-custom-events-in-Windows-Security-log-using/m-p/427724#M74934 <P>Hello,</P> <P>We have Splunk Enterprise 7.2 with Deployment Server role and Splunk Universal forwarder on a Windows SQL server.</P> <P>The SQL server has custom event in Windows Security Log.</P> <P>Below is a portion of the Event Message.</P> <P>I need to create the blacklist entry in the inputs.conf file to filter out events where two patterns are match ing at the same time.</P> <P>"class_type:LX" AND "server_principal_name:DOMAIN1\"<BR /> The second pattern is 3 lines below of the first pattern.</P> <P>Any help will be greatly appreciated.</P> <P>Thank you,</P> <P>Joseph</P> <PRE><CODE>session_id:174 server_principal_id:274 database_principal_id:0 target_server_principal_id:0 target_database_principal_id:0 object_id:0 user_defined_event_id:0 transaction_id:0 class_type:LX permission_bitmask:00000000000000000000000000000000 sequence_group_id:A842D899-40A5-491E-886C-A8E7F7682BDD session_server_principal_name:DOMAIN1\sqlservice server_principal_name:DOMAIN1\sqlservice server_principal_sid:010500000000000515000000093a2a243fad146207e53b2b2f0a0000 database_principal_name: target_server_principal_name: target_server_principal_sid: target_database_principal_name: </CODE></PRE> Tue, 29 Sep 2020 22:57:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-filter-custom-events-in-Windows-Security-log-using/m-p/427724#M74934 jzinguer 2020-09-29T22:57:18Z Re: How do you filter custom events in Windows Security log using regular expression in blacklist? https://community.splunk.com/t5/Getting-Data-In/How-do-you-filter-custom-events-in-Windows-Security-log-using/m-p/427725#M74935 <P>It looks like the blacklist record below in the inputs.conf file is working for me:<BR /> blacklist = Message="(?si)(\bclass_type:LX.+(?=\bserver_principal_name:DOMAIN1.+))"<BR /> Any comments are welcome. I am not sure if this will be the best option.<BR /> Cheers.<BR /> Joseph</P> Tue, 29 Sep 2020 22:59:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-filter-custom-events-in-Windows-Security-log-using/m-p/427725#M74935 jzinguer 2020-09-29T22:59:38Z