Hi, I have a requirement to blacklist all  computer accounts (ending with $) in Security Event Code 4769. So far I have created following filter in inputs.conf but it is not working.     [WinEventLog://Security] disabled = 0 renderXml = 1 source = XmlWinEventLog:Security blacklist1 = EventCode="4769" Message="(?:<Data Name='ServiceName'>).+\$"      I checked regex and it is working on regex builder App but filtering is not working. I am still receiving events with computer accounts. I referred and tried out various splunk forum questions on the same but no luck. Any help will be appreciated. Thanks for your time. ... View more

Hi, We are trying to setup splunk app for Windows ad object monitoring as per MS Windows AD Objects | Splunkbase. Here we already have Windows TA Infrastructure app configured and sending logs to separate indexes rather than default mentioned in the app. Whenever I provide that index name in macro and run autocheck, it is not able to detect the data in that index. When I search that index in splunk search, I can see data coming into that index. We have data configured in xml based log format instead of classic ones. We have following setup. What could be the reason this app is not able to detect the data?   ... View more