Getting Data In

What is wrong with my inputs.conf eventcode blacklist?

splunkIT
Splunk Employee
Splunk Employee

I have setup the following inputs.conf stanza
:


[WinEventLog://Security]

disabled=0

current_only=1

blacklist1=EventCode=4662 Message=”Object Type:\s+(?!groupPolicyContainer)”

but these events are still showing up in splunk when I search , what is the issue here?

I am using windows universal forwarder 6.1.1 and the latest windows-TA

0 Karma
1 Solution

kserra_splunk
Splunk Employee
Splunk Employee

The issue here is that the EventCode=4662 needs to be surrounded by some sort of delimiter , per the following in inputs.conf

In key/regex formn, the first character of the regex is the delimeter. Valid regexes look like:
%regex% regex "regex" etc. The only restriction is that the delimiter cannot be within the regex itself.

http://docs.splunk.com/Documentation/Splunk/6.1/Admin/Inputsconf

So if you instead add a delimiter , EventCode="4662" this will resolve the issue

blacklist1=EventCode="4662" Message=”Object Type:s+(?!groupPolicyContainer)”

should work

View solution in original post

kserra_splunk
Splunk Employee
Splunk Employee

The issue here is that the EventCode=4662 needs to be surrounded by some sort of delimiter , per the following in inputs.conf

In key/regex formn, the first character of the regex is the delimeter. Valid regexes look like:
%regex% regex "regex" etc. The only restriction is that the delimiter cannot be within the regex itself.

http://docs.splunk.com/Documentation/Splunk/6.1/Admin/Inputsconf

So if you instead add a delimiter , EventCode="4662" this will resolve the issue

blacklist1=EventCode="4662" Message=”Object Type:s+(?!groupPolicyContainer)”

should work

splunkIT
Splunk Employee
Splunk Employee

Thanks bro. That did it for me.

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Introducing ITSI 5.0: Unified Visibility and Actionable Insights

Introducing ITSI 5.0: Unified Visibility and Actionable Insights Tuesday, July 21, 2026  |  10:00AM PT / ...

Inside Splunk Agent Observability: Understanding Agent Behavior, Tokens & Costs

Inside Splunk Agent Observability:Understanding Agent Behavior, Tokens & Costs Thursday, August 06, ...

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...