Hi there,
I have a problem with our windows heavy forwarder.
The problem is that the forwarder should transform wmi events from a spezific host.
My props.conf and transform.conf looks like this:
props.conf
[host::*]
TRANSFORMS-events=only_error_warning
transforms.conf
[only_error_warning]
REGEX = (?mi)Type=Audit
DEST_KEY = queue
FORMAT = nullQueue
Do I have a problem with the config or couldn't the heavy forwarder transform the wmi event?
Regards
First, your props.conf is not for a specific host, but for all hosts. Or I should say "all hosts that have data collected by this forwarder."
Second, only events that have "type=audit" in the text will be eliminated.
What hosts and events appear in your Splunk indexer? What do you get if you put type=audit in the search box?
Hi lguinn,
thanks for you reply.
That's right. I only want to eliminated all audit events from these forwarder. Should i use any wildcard in the regex to find all audit success or audit failure events?
At the first time i only want to eliminate all audit events from host server1. I had written the props.conf like this [host::server1] but nothing happens. So i use the wildcard to find all hosts. But this also dosen't work.