Solved: Delete Windows logs description at index time

pbalbasdtt · ‎12-01-2020

Hi all,

I´m trying to delete the description that came at the end of some windows events. From the CM I deployed the following configuration in the props.conf:

[host::my.windows.host]
SEDCMD-strip_detail_msg = s/(?ims)\s+^This\sevent\sis\generated\s.+//g

After looking into the events I can see that no SEDCMD has been applied.

I´m receiving these events from a UF that collects the logs via WMI with the Splunk_TA_windows. This TA is also installed on the indexers. Thanks in advance.

Best regards.

richgalloway · ‎12-01-2020

The Splunk_TA_windows app has a setting to do that. Copy the "SEDCMD-clean_info_text_from_winsystem_events_this_event" line to local/props.conf and un-comment it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-01-2020

The Splunk_TA_windows app has a setting to do that. Copy the "SEDCMD-clean_info_text_from_winsystem_events_this_event" line to local/props.conf and un-comment it.

---
If this reply helps you, Karma would be appreciated.

pbalbasdtt · ‎12-01-2020

Hi,

I applied what you mention under WMI:WinEventLog:Security stanza and it is working like a charm. Many thanks for your help!

Regards.

Delete Windows logs description at index time

indexer

Security Highlights: September 2022 Newsletter

Platform Highlights | September 2022 Newsletter

Observability Highlights | September 2022 Newsletter