We are attempting to ingest server powershell logging into Splunk. We found that ingest all the data was noisy and want to reduce the data ingested to what we really care about. Our goal is to only ingest Event Code 4104 with the level: Warning.
Is there a way to blacklist everything, and then whitelist only Event Code 4104 with the level: Warning?
We are ingesting via here: [WinEventLog://Microsoft-Windows-PowerShell/Operational]
↧