You can continue to use the props/transforms from the Splunk Windows TA BUT you need to use the /local/props.conf and /local/transforms.conf So, create a local folder within the TA and add the two files, if you change the default props and trans, they will get overwritten during upgrades in the future. So, configure as per below example, you will need to work out what events you want to discard, so some regex, and this is the better way, the rest will get logged into Splunk. props.conf [MSAD:NT6:Netlogon]
TRANSFORMS-send_to_null_events = send_null_netlogin_events # transforms.conf [send_null_netlogin_events]
REGEX = <YOUR REGEX FOR LINES YOU DONT WANT>
DEST_KEY = queue
FORMAT = nullQueue The above code then needs to placed on the Indexers or Heavy forwarder - if the data is sent here first (Splunk Full Instances), so deploy the Windows TA that contains your new code. Note: The UF will not do it) Another way is to create your own side car TA and have the code there and run it alongside the Windows TA.
... View more