Getting Data In

Can you help me get blacklist WinEventLog Security to work?



I tried to blacklist Windows event logs for EventCode and Message field content.

I can't figure out what's going wrong here.

My input, that was deployed to my universal forwarders ( I can see in internal that this happened for sure). App has "Restart Splunkd" and " Enable App" marked. Also checked with btool that the clients are picking up the conf changes.


blacklist1= EventCode="4627" Message="Account\sName:\s+\w+\$$"
blacklist2= EventCode="4661" Message="Account\sName:\s+\w+\$$"

I want to filter out EventCode 4627 and 4661 IF Account Name contains Names ending with $. Thats why I have $ twice. One for actually $ and one for end of line.

I am using Message as a key field, since in inputs.conf, it's stated that WinEventLogs needs certain key fields, within you can then extract your value.

The following keys are equivalent to
the fields that appear in the text of
the acquired events: * Category,
CategoryString, ComputerName,
EventCode, EventType, Keywords,
LogName, Message, OpCode, RecordNumber, Sid, SidType,
SourceName,TaskCategory, Type, User"

Regex101 is extracting properly.

I had a look in the _internal for blacklist1 and blacklist2 and for stanza WinEventLog://Security. No Error or Warm messages from clients.

I use this search index=myindex (EventCode="4661" OR EventCode="4627") Account_Name="*$" to test if there are still events coming. For now they are.

So If anyone has a good hint on how to do this, please let me know. I would appreciate specific answers (why your code should work not only the code itself). Thank you 🙂

Example Event for 4661








Keywords=Audit Success

Message=A handle to an object was requested.Subject :

    Security ID:        xxxx

    Account Name:        XXXXXX$
0 Karma


Hello @dkeck,

I assume not all lines are shown in your example event. That is, the last line is not "Account Name: ..."

So I believe you need to enable multi line mode. That way, $ will match the end of the line instead of the whole text.

When you open, you can see that multi line mode is enabled by default on regex101. When it comes to Splunk, you need to prefix the regex with (?m).

So I suggest you try something like this:

blacklist1 = EventCode="4627" Message="(?m)Account Name:\s+\w+\$$"
0 Karma


Thank you for your response. I will try that.

No its not the whole event, since win eventlog is pretty long.

But it continues like this:

Subject :
Security ID: xx
Account Name: XXXXXX$
Account Domain: XXXX
Logon ID: XXXX

0 Karma