Hi
We are trying to discard some noisy events from a windows server with specific event ID and wanted to do this from index server(not from forwarder).
we are not sure if we can use the conditional statement on transforms.conf file? I have following sample file and will appreciate if you could help us
I have copied relevant stanza from /default to /local and created two files as below
/local/props.conf [wmi] SHOULD_LINEMERGE = false LINE_BREAKER = ([rn]+---splunk-wmi-end-of-event---rn[rn]*) CHARSET = UTF-8 TRANSFORMS-wmi=wminull
/local/transforms.conf [wminull] REGEX = (?m)ComputerName=(hostname) DEST_KEY = MetaData:Host FORMAT = host::$1
---where do i put event ID?--------
Thank you