Hello, We have Splunk Enterprise 7.2 with Deployment Server role and Splunk Universal forwarder on a Windows SQL server. The SQL server has custom event in Windows Security Log. Below is a portion of the Event Message. I need to create the blacklist entry in the inputs.conf file to filter out events where two patterns are match ing at the same time. "class_type:LX" AND "server_principal_name:DOMAIN1\" The second pattern is 3 lines below of the first pattern. Any help will be greatly appreciated. Thank you, Joseph session_id:174 server_principal_id:274 database_principal_id:0 target_server_principal_id:0 target_database_principal_id:0 object_id:0 user_defined_event_id:0 transaction_id:0 class_type:LX permission_bitmask:00000000000000000000000000000000 sequence_group_id:A842D899-40A5-491E-886C-A8E7F7682BDD session_server_principal_name:DOMAIN1\sqlservice server_principal_name:DOMAIN1\sqlservice server_principal_sid:010500000000000515000000093a2a243fad146207e53b2b2f0a0000 database_principal_name: target_server_principal_name: target_server_principal_sid: target_database_principal_name: ... View more