Splunk Search

Why is multiline regex blacklisting all events for specifically 4656 only?

Path Finder

Hi All,

I cant seem to get this right.
I am trying to use regex to blacklist 4656 events where:
The account name ends in $
The object server is "PlugPlayManager"

Example of the Event:

SourceName=Microsoft Windows security auditing.
TaskCategory=Other Object Access Events
Keywords=Audit Success
Message=A handle to an object was requested.

    Security ID:        domain\computer
    Account Name:       Computer$
    Account Domain:     domain
    Logon ID:       0x2xxxxx81e5

    Object Server:      PlugPlayManager
    Object Type:        Security
    Object Name:        PlugPlaySecurityObject
    Handle ID:      0x0

Process Information:
    Process ID:     0x2d0
    Process Name:       C:\Windows\System32\svchost.exe

Access Request Information:
    Transaction ID:     {00000000-0000-0000-0000-000000000000}
    Accesses:       Unknown specific access (bit 1)

    Access Reasons:     -
    Access Mask:        0x2
    Privileges Used for Access Check:   -
    Restricted SID Count:   0

I have tested multiple Regex and they all seem to work in regex101but when I apply them, it instead blocks the entire EventCode.

Regex Example in windows_TA on UF

blacklist = EventCode="4656" Message="Account Name:.*?\$(?:[\S\s]*?)Object Server:.*?PlugPlayManager"

I have tried all manner of other combinations, all that work on regex101. And if I change the account name to not include the ending$ or if I change the "object server" it will not match (in regex101).

But for some reason, the blacklist entry ends up blocking ALL 4656 events instead of just those that match

Any help would be greatly appreciated, I do not want to have to block just based on one field in the log, I want to blacklist based on the username and object server.

Thanks in Advance

I forgot to mention, each time I make the change and reload the Server Class, it does actually appear to work for about 3 minutes, then I get nothing. Is it the case where I need to wait for say 60minutes or so?

0 Karma


Hi @geraldcontreras,
could you please try this regex

(?ms).*Account Name:\s+Computer\$.*Object\s+Server:\s+PlugPlayManager

that you can test at https://regex101.com/r/qiR7FZ/1
so in your TA's stanza

blacklist = EventCode="4656" Message="(?ms).*Account Name:\s+Computer\$.*Object\s+Server:\s+PlugPlayManager"

If this filter desn't run on TA, you can apply it on Indexers:
In props.conf, set the TRANSFORMS-null attribute:

TRANSFORMS-null= setnull

Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":

REGEX = (?ms).*Account Name:\s+Computer\$.*Object\s+Server:\s+PlugPlayManager
DEST_KEY = queue
FORMAT = nullQueue

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.0/Forwarding/Routeandfilterdatad


0 Karma

Path Finder

Hi Giuseppe,

Thanks for your advice.

This also ends up blacklisting all events rather then the matching regex.
I had tried many combinations previous to posting this question, all which also work in regex101 but fail in the splunk_TA_windows.

I have tried a very simple regex blacklist for event 4656 and that also has the same affect. So it appears to be something unique to this event for some reason (i am using regex successfully on other EventCodes such as 5156,4689,5145 and it is working as expected)

I will try using the props and transforms and see if that works.

Very strange that it appears to be unique (so far) to this one EventCode only

Ill let you know how i go.



0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...