Solved: How to remove the Windows message description

jwalzerpitt · ‎11-25-2019

Found a great article on how to remove the Windows message description - https://www.hurricanelabs.com/splunk-tutorials/windows-event-log-filtering-design-in-splunk# - and followed the article to create the following props/transforms conf files:

props.conf: 

[source::WinEventLog:Security] 
TRANSFORMS-removedescription = removeEventDesc1 

transforms.conf: 

[removeEventDesc1] 
LOOKAHEAD = 16128 
REGEX = (?msi)(.*)This event is generated 
DEST_KEY = _raw 
FORMAT = $1

Waited some time for the UFs to phone home and pick up the change, but when I search the Windows events, I still see the description in the event.

Any idea or insights as to why would be greatly appreciated.

Thx

woodcock · ‎11-25-2019

Don't reinvent the wheel. Upgrade to the latest version and then do this:
https://docs.splunk.com/Documentation/WindowsAddOn/7.0.0/User/Configuration#Configure_props.conf

View solution in original post

woodcock · ‎11-25-2019

Don't reinvent the wheel. Upgrade to the latest version and then do this:
https://docs.splunk.com/Documentation/WindowsAddOn/7.0.0/User/Configuration#Configure_props.conf

Mai_splunk · ‎12-10-2020

Hi @woodcock

I'm triying this solutions without good results. I'm receiving message info after config the props.conf.

In deploy server, into the app, in local/props.conf I configure the parameters.

Do i Need anymore things?

Thanks!

jwalzerpitt · ‎11-25-2019

Thx for the heads up

How to remove the Windows message description

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases