Hello Everyone,
I know there are questions similar to mine, but I cannot seem to transform them into a solution for my problem. I am trying to dump information event logs to the nullQueue so they do not count against the cap (company still deciding if they want Splunk). What I currently have is (sorry if new lines are messed up):
transforms.conf:
[RemoveInformation]
REGEX=(?m)Types=sInformation
DEST_KEY = queue
FORMAT = nullQueue
props.conf:
[WMI:WinEventLog:Application]
TRANSFORMS-wmi= RemoveInformation
[WMI:WinEventLog:Security]
TRANSFORMS-wmi= RemoveInformation
[WMI:WinEventLog:System]
TRANSFORMS-wmi= RemoveInformation
[WMI:WinEventLog:Setup]
TRANSFORMS-wmi= RemoveInformation
I don't believe it matters, but I am using windows based universal forwarder back to a debian based splunk server.
Thank you for any and all suggestions.