You can either filter by eventcode or regex. According to Splunk Docs...You can specify one of two formats:
One or more Event Log event codes or event IDs (Event Log code/ID format.)
One or more sets of keys and regular expressions. (Advanced filtering format.)
You cannot mix formats in a single entry. You also cannot mix formats in the same stanza.
Examples -
event code blacklist
blacklist1 = 1100,1101,4624,4634,4647-4649
regex blacklist
blacklist1 = EventCode=%^200$% User=%drodman%
You can specify up to 10 blacklist per input stanza. If you need more than this you might want to consider a whitelist strategy instead. You just whitelist the codes you need instead of blacklisting the ones you don't.
More details here: http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Event_Log_whitelist_and_blacklist_formats
... View more