Found a great article on how to remove the Windows message description - https://www.hurricanelabs.com/splunk-tutorials/windows-event-log-filtering-design-in-splunk# - and followed the article to create the following props/transforms conf files:
props.conf: [source::WinEventLog:Security] TRANSFORMS-removedescription = removeEventDesc1 transforms.conf: [removeEventDesc1] LOOKAHEAD = 16128 REGEX = (?msi)(.*)This event is generated DEST_KEY = _raw FORMAT = $1
Waited some time for the UFs to phone home and pick up the change, but when I search the Windows events, I still see the description in the event.
Any idea or insights as to why would be greatly appreciated.
I'm triying this solutions without good results. I'm receiving message info after config the props.conf.
In deploy server, into the app, in local/props.conf I configure the parameters.
Do i Need anymore things?