Found a great article on how to remove the Windows message description - https://www.hurricanelabs.com/splunk-tutorials/windows-event-log-filtering-design-in-splunk# - and followed the article to create the following props/transforms conf files:
props.conf:
[source::WinEventLog:Security]
TRANSFORMS-removedescription = removeEventDesc1
transforms.conf:
[removeEventDesc1]
LOOKAHEAD = 16128
REGEX = (?msi)(.*)This event is generated
DEST_KEY = _raw
FORMAT = $1
Waited some time for the UFs to phone home and pick up the change, but when I search the Windows events, I still see the description in the event.
Any idea or insights as to why would be greatly appreciated.
Thx
↧