Found a great article on how to remove the Windows message description - https://www.hurricanelabs.com/splunk-tutorials/windows-event-log-filtering-design-in-splunk# - and followed the article to create the following props/transforms conf files:
props.conf:
[source::WinEventLog:Security]
TRANSFORMS-removedescription = removeEventDesc1
transforms.conf:
[removeEventDesc1]
LOOKAHEAD = 16128
REGEX = (?msi)(.*)This event is generated
DEST_KEY = _raw
FORMAT = $1
Waited some time for the UFs to phone home and pick up the change, but when I search the Windows events, I still see the description in the event.
Any idea or insights as to why would be greatly appreciated.
Thx
Don't reinvent the wheel. Upgrade to the latest version and then do this:
https://docs.splunk.com/Documentation/WindowsAddOn/7.0.0/User/Configuration#Configure_props.conf
Don't reinvent the wheel. Upgrade to the latest version and then do this:
https://docs.splunk.com/Documentation/WindowsAddOn/7.0.0/User/Configuration#Configure_props.conf
Hi @woodcock
I'm triying this solutions without good results. I'm receiving message info after config the props.conf.
In deploy server, into the app, in local/props.conf I configure the parameters.
Do i Need anymore things?
Thanks!
Thx for the heads up