I'm not sure why, but this WMI filter isn't working. I'm trying to drop Windows Security Log events 4769, etc. before indexing. Any help is appreciated. Thanks!
props.conf:
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull-1,wminull-2
transforms.conf
[wminull-1]
REGEX=(?mi)EventCode=(4769|4634|4776|4672|4770)
DEST_KEY=queue
FORMAT=nullQueue
[wminull-2]
REGEX=(?mi)Account_Name=(admin1|admin2|admin3)
DEST_KEY=queue
FORMAT=nullQueue
your example seems to be from splunk 4.1.*, the sourcetype changed since.
try
[WinEventLog:Security]
TRANSFORMS-wmi=wminull-1,wminull-2