Can someone help me with exclusions vs inclusions and which win. I have win_socket_events running and I am trying to exclude splunk events. I have the port splunk uses in the includeded ports filter but in the process_name section I exclude the splunk process name. Yes in the results I still see splunk process being reported. The only thing I can think of is that INCLUDES trump EXCLUDES and if the include matches then the exclude is ignored. Is this how it works? Or am I doing something completely incorrect.