I've seen several posts here, but none that really have a concrete answer on this. I'm trying to blacklist certain accounts in my inputs.conf on the Splunk universal forwarder for Windows event id 4663 (object access).
Does anyone know the correct way to blacklist several account names from appearing in the data forwarded to Splunk? I've seen some people say key off of user, others with message= followed by some regex with Account Name.
The below obviously does not work.
blacklist = EventCode="4663" Account Name="User, SERVER$, UserAccount1, UserAccount2"
... View more