I tried this solution but no success.
I am trying to filter data from being indexed.I need only the Error events
In props conf:
[source:://C:\\Windows\\System32\\winevt\\Logs]
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set = setnull, setparsing
In transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = Error
DEST_KEY = queue
FORMAT = indexQueue
↧