Hi Kristian,
Thank you. It's well thought out, but unfortunately, the events are still coming in. I'm monitoring 30 seconds realtime and watching the 5145 events just pour in. I copied the [null_user] and [null_seqid] directly into the transforms.conf and added the stanza in the props.conf.
You are right about the 'LogName=Security' being redundant.
Thanks for the information about the 'case_sensitive_match' (I did not know that).
I wish I understood the process (route these events take to get into Splunk) better.
... View more