All Apps and Add-ons

Splunk Add-on for Microsoft Windows: How to troubleshoot why EventCode 4662 data is not being indexed?

Path Finder


I am trying to look up data related to EventCode="4662", but it does not show in Splunk.

I am using Universal Forwarders and nothing is being blacklisted within the inputs.conf for Splunk_TA_windows.
Additionally I checked inputs.conf on the indexer and it was not present, I copied inputs.conf from default:

disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog

I have check within Windows Event Viewer on our Domain Controller that Event 4662 is present, but Splunk searches for EventCode=4662 produce no results.

Not sure how to troubleshoot that.

I am running a single Splunk server.

Splunk Employee
Splunk Employee

The current issue has been fixed in Windows TA 4.8.4 onwards, so please download the latest version Windows TA and test or try using the following Regex.
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"

0 Karma

Path Finder

Could you add some context, why are these specific events "4662" and "566" in your config? Do they definitely appear in your indexed data?

0 Karma

Path Finder

These is a default config. It is supposed to filter out events 4662 that contain junk and only leave events 4662 which contain GPO changes ( see for details
GPO changes were done today and I can see these events on Windows Event Viewer on DC.

0 Karma

Path Finder

I'm running into the same issue. Even when I comment out the blacklisting altogether for EventCode 4662, Splunk is still not indexing any 4662 events (junk or not). I've confirmed that there are other events coming in from the Windows Security Log so I don't believe that permissions are an issue here.

0 Karma


I know this is stating the obvious, but have you confirmed that 4662 is coming into the event logs? I know that when we removed the blacklist entirely as a means of troubleshooting, we found that 4662 was not being logged.

That said, I am still having issues myself with the blacklisting portion, but I do know that events not being actually logged was one of our issues, and now events are coming in if I remove the blacklist entirely. If anyone has any ideas outside of copying/pasting, typing things manually, using btool, reinstalling add-ons and clients, or standing on your head and spinning around three times by moonlight, I'd be happy to hear.

0 Karma


Sorry but your config file shows 4662 as blacklist. Is it a typo?

Happy Splunking!

Path Finder

No, the regular expression Message="Object Type:\s+(?!groupPolicyContainer)" filters out the junk
I am just looking to see Group Policy Changes which I know took place earlier today in the morning and I can see that events within Windows Event Viewer

0 Karma
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...