I´m trying to delete the description that came at the end of some windows events. From the CM I deployed the following configuration in the props.conf:
[host::my.windows.host]SEDCMD-strip_detail_msg = s/(?ims)\s+^This\sevent\sis\generated\s.+//g
After looking into the events I can see that no SEDCMD has been applied.
I´m receiving these events from a UF that collects the logs via WMI with the Splunk_TA_windows. This TA is also installed on the indexers. Thanks in advance.
The Splunk_TA_windows app has a setting to do that. Copy the "SEDCMD-clean_info_text_from_winsystem_events_this_event" line to local/props.conf and un-comment it.
View solution in original post
I applied what you mention under WMI:WinEventLog:Security stanza and it is working like a charm. Many thanks for your help!