Hi,
Running a trial of splunk 4.2 on windows 2008, attempting to filter before entering the index queue. Objective to "account management" security events and drop all other events.
The only data to enter index is
source="WMI:WinEventLog:Security" CategoryString="Account Management"
I have created props.conf and transforms.conf in C:\Program Files\Splunk\etc\system\local tried a few different combinations, but so far no progress.
props.conf
[WinEventLog:Security]
TRANSFORMS-evtlog = wmi-filter,wmi-null`
transforms.conf
[wmi-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[wmi-filter]
REGEX=(?msi)^(CategoryString=Account Management)
DEST_KEY = queue
FORMAT = indexQueue
welcome some guidance, thanks
... View more