I'm currently collecting Powershell event 4104 across all devices on the network and one sysadmin host has been found to be exceptionally chatty. I would like to blacklist event 4104 on that box while allowing it on all the rest. I've added the event id to the blacklist in the offending machine's etc/system/local/inputs.conf, as it should take precedence over the app's inputs.conf file, but I'm still receiving events. Can someone point me in the right direction?
Try this
On your Indexer/Heavy forwarder (node where data parsing happens), add this
props.conf
[host::yourchattyhostname]
TRANSFORMS-remove4104=remove4104
transforms.conf
[remove4104]
REGEX=(?m)^EventCode=4104 ***
DEST_KEY=queue
FORMAT=nullQueue