Getting Data In

Splunk Forwarder $xmlregex

ashketchum
New Member

I'm looking for support on my $xmlregex Blacklist. I have checked as many previous tickets as I can and I'm still stuck.

It works when I put the events into regex101 which is why I'm so confused.

This is what I have ended up with:

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0
start_from = oldest
renderXml = 1
# 4100 Error Log | 4104 Script Block
whitelist = 4104,4100
blacklist  = $xmlRegex= $\<EventID\>(?:4104|4100)\<\/EventID\>.*\<Data\sName='ScriptBlockText'\>[\S\s]*[C-Z]:\\Program(?:\sFiles|Data)(\s\(x86\))?\\(?:qualys|Nexthink|uniFLOW\sSmartClient)\\$
blacklist1 = $xmlRegex= $\<EventID\>(?:4104|4100)\<\/EventID\>.*\<Data\sName='ScriptBlockText'\>[\S\s]*[C-Z]:\\Windows\\ccm\\$

I've had to use [\S\s]* because the it's a PowerShell script which has carriage returns in.

Any help would be massively appreciated.

Thanks! 

Labels (2)
0 Karma

lar06
Explorer

Have you tried not escaping the < and > chars ?

I've read somewhere escaping a non-special char might not work here.

Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...