I want to capture Windows Event Logs EventCode 4673 when it happens once for each user over a period of one hour. If a single user generates this Event Code 100 times in one hour I would like to record it only once in Splunk.
If this is not doable, can I remove the payload `suppress_text = 1` for this event only and not for all Windows Security Events?
↧