I'm a Splunk newbie so I'm not sure this is the most efficient method but I've got it working by:
Adding a stanza to props.conf in /etc/system/local
[WinHostMon]
TRANSFORMS-filter = filter_manual_service
Add a stanza to the transforms.conf in /etc/system/local
[filter_manual_service]
REXEG = StartMode="Manual"
DEST_KEY = queue
FORMAT = nullQueue
It would be great to find out if there is a better way to do this.
Cheers
Graham
... View more