The crazily verbose descriptive text that's appended to the end of many Windows Server 2008 events has been covered in Splunk Answer Disabling or removing extra description text in Windows 2008 event logs?, with an excellent answer by jervin involving using SEDCMD in props.conf to trim the description off.
The problem is, per Configuration parameters and the data pipeline, a universal forwarder can't do a SEDCMD. It seems to me like you couldn't use a universal forwarder on a Windows 2008 server without absolutely murdering your Splunk license with all that descriptive text.
Can anyone think of a way around this problem?
You could implement the configuration where the data is being parsed, most likely the indexer, and it would also alter the data in the same way.
Correct, but then doesn't the unparsed data as it comes into the indexer count against my license?
Thanks! Also, according to
Since parsing happens before indexing, what SEDCMD chops off -- even on the indexer -- is not counted towards the license.
You can also do "sendCookedData = false" on the SUF and then work on the events on the indexer or heavy forwarder.
Make the forwarder a "Heavy Forwarder" and do the work before the data is sent to the Indexer. The tradeoff is that your forwarder will have higher CPU utilization.
I love the descriptive text when I'm scrolling through an actual event log, but I don't need to index or store ten gazillion copies of MSFT boilerplate in my Splunk db.
I'm literally in the middle of doing this so thanks for your link to the SEDCMD article!
What is the resource cost of doing this on the indexers? After all, in a Windows heavy environment, some of the events with these descriptions probably make up the bulk of logged security events.
Is there a way of doing it on an intermediary step? Ie. putting an intermediary forwarder between the Windows forwarders and the indexers?