Getting Data In

Delete Windows logs description at index time

pbalbasdtt
Path Finder

Hi all,

I´m trying to delete the description that came at the end of some windows events. From the CM I deployed the following configuration in the props.conf:

[host::my.windows.host]
SEDCMD-strip_detail_msg = s/(?ims)\s+^This\sevent\sis\generated\s.+//g

After looking into the events I can see that no SEDCMD has been applied.

I´m receiving these events from a UF that collects the logs via WMI with the Splunk_TA_windows. This TA is also installed on the indexers. Thanks in advance.

Best regards.

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The Splunk_TA_windows app has a setting to do that.  Copy the "SEDCMD-clean_info_text_from_winsystem_events_this_event" line to local/props.conf and un-comment it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The Splunk_TA_windows app has a setting to do that.  Copy the "SEDCMD-clean_info_text_from_winsystem_events_this_event" line to local/props.conf and un-comment it.

---
If this reply helps you, Karma would be appreciated.

pbalbasdtt
Path Finder

Hi,

I applied what you mention under WMI:WinEventLog:Security stanza and it is working like a charm. Many thanks for your help!

Regards.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...