Hi @Bo3432 , as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Inputsconf blacklist requires a regex: blacklist = <regular expression> but also: blacklist = <comma-separated list> | key=regex [key=regex] so I prefer to use a full regex containing both the keywors. In your case, you have a multiline log, so you have to add "(?ms)" to the beginning of the regex: (?ms)EventCode\=4769.*TaskCategory\=\w+\s\w+\s\w+\s\w+ that you can test at https://regex101.com/r/ToPGX2/1 Ciao. Giuseppe
... View more