Inputs.conf blacklist with a negative regex

Hello, I need create a whitelist with the blacklist. I mean... I have three blacklist in the windows security input: [WinEventLog://Security] disabled=0 index = wineventlog source = XmlWinEventLog:Security sourcetype = XmlWinEventLog ... ... ... blacklist = 4624,4625,2222 blacklist1 = EventCode="4688" $XmlRegex="(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\btool.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-admon.exe)|(C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe)" blacklist2 = EventCode="1111" $XmlRegex="C:\\ProgramData\\random\\andom2\\dasdfa.exe" I need add another blacklist like this: blacklist3 = EventCode="4663" $XmlRegex="(C:\\Windows\\System32\\Taskmgr.exe)" This blacklist remove all 4663 events with the processname Taskmgr.exe (works). But actually, I want to remove all 4663 events except, 4663 events with the process name Taskmgr.exe I tried use expression like this, but it isn't work: blacklist3 = EventCode="4663" $XmlRegex="(?!C:\\Windows\\System32\\Taskmgr.exe)" blacklist3 = EventCode="4663" $XmlRegex="?!(C:\\Windows\\System32\\Taskmgr.exe)" blacklist3 = EventCode="4663" $XmlRegex="^((?!C:\\Windows\\System32\\Taskmgr.exe)[\s\S])*$" Has it a solution? I can't use a whitelist becouse I have blacklist. Thanks a lot!