Can someone help me with exclusions vs inclusions and which win. I have win_socket_events running and I am trying to exclude splunk events. I have the port splunk uses in the includeded ports filter but in the process_name section I exclude the splunk process name. Yes in the results I still see splunk process being reported. The only thing I can think of is that INCLUDES trump EXCLUDES and if the include matches then the exclude is ignored. Is this how it works? Or am I doing something completely incorrect.
Here is an example config that I tried. When this is running I still see the 3 process names in the exclude config being reported. Why would this config not drop the events where the process name matches those in the exclude block.