I want to filter any event that has a "$" character in the SECOND Account Name field because sometimes the first "Account Name" is empty and that's why I don't really care about that one.
Hence tried following on Win Universal Forwarder's inputs.conf:
#filtering win logs logis within the servers.
disabled = 0
index = test
sourcetype = win
blacklist1 = EventCode="4662" Message=”Object Type:\s+(?!groupPolicyContainer)”
blacklist2 = EventCode="566" Message=”Object Type:\s+(?!groupPolicyContainer)”
blacklist3 = 560,567,7035,7036,592,593,595,4656,4663
blacklist4 = Message="Account Name:\s*((.|\n)*)Account Name:\s+(.*\$)"
blacklist5 = Message="Account Name:[\s]*(HealthMailbox.*)"
The blacklist4 is the one I am trying to make work, to filter events with "$" sign in second "Account Name" field, but it doesn't work.
I am pretty sure that the regex is correct as when I tried the same regex in other online regex checkers against the above event, it matches.
Hence thinking, is there any special regex language that Splunk uses and hence the above regex won't work?