Found a great article on how to remove the Windows message description - https://www.hurricanelabs.com/splunk-tutorials/windows-event-log-filtering-design-in-splunk# - and followed the article to create the following props/transforms conf files:
props.conf: [source::WinEventLog:Security] TRANSFORMS-removedescription = removeEventDesc1 transforms.conf: [removeEventDesc1] LOOKAHEAD = 16128 REGEX = (?msi)(.*)This event is generated DEST_KEY = _raw FORMAT = $1
Waited some time for the UFs to phone home and pick up the change, but when I search the Windows events, I still see the description in the event.
Any idea or insights as to why would be greatly appreciated.