I cant find them ... View more

According to the docs (and from experience), it'll be "TaskCategory". If the TaskCategory is exactly "Authorization Policy Change" (which google says is likely, then number 2 should have worked. Of course, there's the space issue, which may be real or may just be the editor. I'm going to assume it's a copy and paste and thus the space is a problem. So, your blacklist should be blacklist1 = EventCode="4670" TaskCategory="Authorization Policy Change" I don't have any of those events in my logs, so if it doesn't work, please confirm that's exactly the right TaskCategory String. ... View more

Source_port is not a valid key to use in blacklist Taken from the manual: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf?utm_source=answers&utm_medium=in-answer&utm_term=inputs.conf&utm_campaign=refdoc Valid keys for the key=regex format: The following keys are equivalent to the fields that appear in the text of the acquired events: Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, User ... View more