Your blacklist regex expressions may not be compatible with with the XML format for your indexed events. Referenced from https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Use_blacklists_and_whitelists_to_filter_on_XML-based_events : Render event data as extensible markup language (XML) supplied by the Windows Event Log subsystem. This setting is optional. A value of 1 or true means to render the events as XML. A value of 0 or false means to render the events as plain text. If you set renderXml to true, and if you want to also create allow lists or deny lists to filter event data, you must use the $XmlRegex special key in your allow lists or deny lists. 0 (false)
... View more