I posted this question just so that I could answer it for the Splunk community in case it helps anyone else out. If someone could convert this to an answer that would be great. Copied and pasted from an email to a coworker:

Here’s some notes regarding blacklisting in Splunk (note that this differs sharply from the official/flawed 6.3.1 documentation).

-Blacklisting forwarded Windows event logs on the deployment server needs to be done in Splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf, followed by either a Splunk reboot or “splunk reload deploy-server” (note that I cannot get the command to work in PowerShell)
-Your first blacklist (blacklist, not blacklist1) is the only line that can take a list of event IDs.
-----blacklist = 0-4623,4625-100000
-Numbered blacklists, up to and including blacklist9, take regular expressions, but they need to be surrounded by % instead of quotation marks. Also note that wildcards are not accepted as they are in a Splunk search or Splunk XML (e.g. blacklist1 = Message=%*thingtofind*%), they need to be a strict regex (e.g. .* or [\s\S]*)
-----blacklist1 = Message=%[\s\S]*Account Name:\s*(ABCEX|Mimecast_MSESvc|APMMONITOR|ABCDC|DEF)[\s\S]*%
-You can only blacklist on: Category CategoryString ComputerName EventCode EventType Keywords LogName Message OpCode RecordNumber Sid SidType SourceName TaskCategory Type User

Cheers,