Getting Data In

Delete Windows logs description at index time

pbalbasdtt
Path Finder

Hi all,

I´m trying to delete the description that came at the end of some windows events. From the CM I deployed the following configuration in the props.conf:

[host::my.windows.host]
SEDCMD-strip_detail_msg = s/(?ims)\s+^This\sevent\sis\generated\s.+//g

After looking into the events I can see that no SEDCMD has been applied.

I´m receiving these events from a UF that collects the logs via WMI with the Splunk_TA_windows. This TA is also installed on the indexers. Thanks in advance.

Best regards.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The Splunk_TA_windows app has a setting to do that.  Copy the "SEDCMD-clean_info_text_from_winsystem_events_this_event" line to local/props.conf and un-comment it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The Splunk_TA_windows app has a setting to do that.  Copy the "SEDCMD-clean_info_text_from_winsystem_events_this_event" line to local/props.conf and un-comment it.

---
If this reply helps you, Karma would be appreciated.

pbalbasdtt
Path Finder

Hi,

I applied what you mention under WMI:WinEventLog:Security stanza and it is working like a charm. Many thanks for your help!

Regards.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...