First, let us point out that in your example, you have both a "legacy" blacklist (only event code or code ranges), and two regex blacklists.
To interpret the processing of blacklists is as follows:
A blacklist key gets evaluated to produce a 1 or 0.
In the case of the legacy blacklist line, an event code is compared to the event code or event code ranges. If it matches an event code or falls into one of the ranges of event code, then blacklist line is computed as 1, otherwise 0.
In the case of the regex blacklist line, all terms are AND'ed together to compute the value of the blacklist line; if all terms match all regexes, then the blacklist line is computed as 1. If ANY regex fails, the entire blacklist line is computed as 0.
Splunk will process each blacklist line in order. If any of the blacklist lines is computed as 1, we stop there and toss out the event. As a programmer, one can consider them OR'd -- and with the optimization that once we find ONE blacklist line that computes 1, Splunk doesn't need to process any more blacklists, because once blacklisted, the event is gone.
Pro tip: make the blacklists that remove the largest amount of events have lower numbers (e.g. blacklist1, blacklist2 ...)
... View more