Hi, I am trying to look up data related to EventCode="4662", but it does not show in Splunk. Additionally I checked inputs.conf on the indexer and it was not present, I copied inputs.conf from default: [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)" index = wineventlog renderXml=false I have check within Windows Event Viewer on our Domain Controller that Event 4662 is present, but Splunk searches for EventCode=4662 produce no results. so what i want to see is the event code 4662 that in it's message contain Object Type: user Here i will provide the event viewer logs that i want splunk to show An operation was performed on an object. Subject :   Security ID:       CIMBNIAGA\YT91504X   Account Name:      YT91504X   Account Domain:    CIMBNIAGA   Logon ID:          0xC2D9E1AC Object:   Object Server: DS   Object Type:   user   Object Name:   CN=ADJOINADMIN,OU=Functional   ID,OU=Special_OU,DC=cimbniaga,DC=co,DC=id   Handle ID:     0x0 Operation:   Operation Type:  Object Access   Accesses:      READ_CONTROL   Access Mask:   0x20000   Properties:    READ_CONTROL {bf967aba-0de6-11d0-a285-00aa003049e2} Additional Information:   Parameter 1:    -   Parameter 2:   Please help me i really got stuck i already try to delete the blacklist filtering but it's still not give me  the log that i want just like in the top @kheo_splunk ... View more