Hey vad34,
You can use something like this in your inputs.conf:
[WinEventLog://Security]
disabled=0
current_only=1
blacklist1=EventCode="4662" Message=”Object Type:\s+(?!groupPolicyContainer)”
The reference I'm grabbing from is this blog post:
http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/
This is a little more elegant, but it's specific to WinEventLog data. jmallorquin's solution is universal to any data source.
... View more