Trying to collect specific GPO event codes so we've created an app on the universal forwarder with the below in the inputs.conf file:

[WinEventLog://Application]
disabled = 0
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 300
whitelist = 5126,5257,5312,5313,1069,1128,4098
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false

I can see the event logs on the server but can't see any in splunk. The wineventlog index already exists.