Hi Guys,
We have UFs on our DCs and 2 indexers and on both indexers, to drop the unwanted text from events
I tried using the following regex in the /opt/splunk/etc/slave-apps/Splunk_TA_windows/local/props.conf
[WinEventLog:Security] SEDCMD-shortern4624 = SEDCMD-shortern4624 = s/(?mis)(.*EventCode=4624.*)This event is generated when a logon session.*$/\1/g
it does not work
↧