I am trying to filter events, and am not having any luck.
Log info in Splunk:
LogName=System
SourceName=Microsoft-Windows-Service Control Manager
EventCode=7036
EventType=4
Type=Information
ComputerName=xxNAMExx
TaskCategory=The operation completed successfully.
OpCode=The operation completed successfully.
RecordNumber=29077
Keywords=Classic
Message=The WMI Performance Adapter service entered the stopped state.
these files have been changed on the machine that forwards the data.
props.conf
[WMI:WinEventLog:System]
TRANSFORMS-wmi=wminull
transforms.conf
[wminull]
REGEX=(?m)^EventCode=(7036)
DEST_KEY=queue
FORMAT=nullQueue
what am i missing?
thanks
... View more