I have wrecked my brains over this and still can't get it to work!! Here are my config files
Inputs.conf
[WinEventLog:Application]
disabled = 0
[WinEventLog:System]
disabled = 0
props.conf
[WinEventLog:Application]
TRANSFORMS-wmi = FitlerApp
[WinEventLog:System]
TRANSFORMS-wmi = FilterSys
transforms.conf
[FilterApp]
REGEX = (?msi)^Type=Information
DEST_KEY = queue
FORMAT = nullQueue
[FilterSys]
REGEX = (?msi)^Type=Information
DEST_KEY = queue
FORMAT = nullQueue
I was putting all of these files in C:\Program Files\Splunk\etc\system\local but after reading alain_bettiol post, I moved the transforms.conf and props.conf files into C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local and it still doesn't work! What am I doing wrong? Please advise!
... View more