I have tried all manner of other combinations, all that work on regex101. And if I change the account name to not include the ending$ or if I change the "object server" it will not match (in regex101).
But for some reason, the blacklist entry ends up blocking ALL 4656 events instead of just those that match
Any help would be greatly appreciated, I do not want to have to block just based on one field in the log, I want to blacklist based on the username and object server.
Thanks in Advance
I forgot to mention, each time I make the change and reload the Server Class, it does actually appear to work for about 3 minutes, then I get nothing. Is it the case where I need to wait for say 60minutes or so?
This also ends up blacklisting all events rather then the matching regex.
I had tried many combinations previous to posting this question, all which also work in regex101 but fail in the splunk_TA_windows.
I have tried a very simple regex blacklist for event 4656 and that also has the same affect. So it appears to be something unique to this event for some reason (i am using regex successfully on other EventCodes such as 5156,4689,5145 and it is working as expected)
I will try using the props and transforms and see if that works.
Very strange that it appears to be unique (so far) to this one EventCode only