I am trying to set up the custom config for forwarding only specific Splunk logs. I am testing filtering out specific events for a particular Event ID. Based of the splunk doc it says :

"You can specify more than one key/regular expression set on a single entry line. When you do this, Splunk Enterprise logically conjuncts the sets. This means that only events which satisfy all of the sets on the line will be valid for inclusion or exclusion. For example, this entry:

whitelist = EventCode="^1([0-5])$" Message="^Error"  "

When I try this with blacklist, it blacklists anything coming from that Event code, not just the one specific event type/ Process. I was going off filtering by a piece of what's in the message. The process name, which message is the only way I can get it based on the filter keys. But it seems it does not filter based off the whole expression. Regardless of what I have after the EventCode, it just filters everything for that event code. Has anyone else had this issue or know when it's not filtering by the whole expression? As an example I did :

[WinEventLog://Security]
disabled = 0 
blacklist = EventCode="4688" Message="C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" 

but it just filters out all EventCode 4688 . If I remove 4688, it keeps and sends all of the events including the one with that process.