Hi all,

Have a distributed Splunk Enterprise deployment. I am trying to filter incoming registry events to remove wasteful data on all of my Forwarders. This is the Stanza in question from $SPLUNK_HOME\etc\deployment_apps\Splunk_TA_Windows\local\inputs.conf. This app is deployed to all appropriate Forwarders and have run 'reload deploy-server' after saving changes.

[WinRegMon://hklm]
disabled = 0
hive = \\REGISTRY\\MACHINE\\.*
proc = ^(?:(?!first\.exe|Second\.Punctuated\.exe).)*$
type = create|delete
index = windows-mon

 When watching incoming data, the regex isn't working, events containing these exe names in process_image are still present. I have checked using regex101.com using example data below, it works perfectly.

06/11/2020 08:51:57.983
event_status="(0)The operation completed successfully."
pid=1996
process_image="c:\Program Files\Folder\first.exe"
registry_type="CreateKey"
key_path="HKLM\software\folder\classifiedapplications"
data_type="REG_NONE"
data=""

06/11/2020 08:53:18.187
event_status="(0)The operation completed successfully."
pid=2084
process_image="c:\Program Files (x86)\Folder\Second.Punctuated.exe"
registry_type="CreateKey"
key_path="HKLM\software\microsoft\enterprisecertificates\trust\ctls"
data_type="REG_NONE"
data=""

 What am I doing wrong?