I have a requirement to blacklist all computer accounts (ending with $) in Security Event Code 4769. So far I have created following filter in inputs.conf but it is not working.
disabled = 0
renderXml = 1
source = XmlWinEventLog:Security
blacklist1 = EventCode="4769" Message="(?:<Data Name='ServiceName'>).+\$"
I checked regex and it is working on regex builder App but filtering is not working. I am still receiving events with computer accounts.
I referred and tried out various splunk forum questions on the same but no luck. Any help will be appreciated.
Thanks for your time.