I have the following inputs.conf stanza:
blacklist1=EventCode=4662 Message=”Object Type:s+(?!groupPolicyContainer)”
Still we are receiving all the eventcode. Could you please help what else changes has to be made?
Note: We are making the changes in the deployment server for the blacklist
what is the full path to file of the above inputs.conf?
are you leveraging the Splunk TA for Windows?
Pulled from my working blacklist of that precise same EventCode and scenario:
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
Not sure if the differences are copy/paste issues or if they're broken in your stanza, but the above has worked for me. Note the \s+.
View solution in original post