Based upon this, I installed a full instance, added some local logs, disabled splunkweb, and edited these files under /etc/system/local/:
props.conf
[source::WinEventLog:Application]
TRANSFORMS-null= setnull
[source::WinEventLog:DNS Server]
TRANSFORMS-null= setnull
[source::WinEventLog:Directory Service]
TRANSFORMS-null= setnull
[source::WinEventLog:Security]
TRANSFORMS-null= setnull
[source::WinEventLog:System]
TRANSFORMS-null= setnull
transforms.conf
[setnull]
REGEX = (?m)^Type=Information
DEST_KEY = queue
FORMAT = nullQueue
Is this the appropriate way of achieving what I'm looking for?
... View more