When retrieving EventLogs through WMI, the host value is assigned by a system/detault/props.conf config:
[wmi]
TRANSFORMS-FIELDS = wmi-host,...
Can I specify a "local" props where I use the [host::] stanza to apply some further TRANSFORMS?
I am getting troubles as it seems like when my stanza is executed, the events' host field is still the name of the HWF, i.e. my stanza's transforms are executed BEFORE [wmi-host].
My config stanza is like this:
[host::servername]
TRANSFORMS-IAS = sentAllToNullQueue, KeepIAS
p.s. if I modify the stanza to [WMI:WinEventLog:System] my configs work fine, except that they are applied to all the hosts, not just the one I need...
... View more