Henry Robalino animetauren
animetauren
/ props.conf
Last active
May 4, 2023 17:57
— forked from automine/props.conf
Windows Event Clean Up in Splunk
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [source::WinEventLog:System] | |
| SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g | |
| [source::WinEventLog:Security] | |
| SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g | |
| SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g | |
| SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/ | |
| SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ | |
| SEDCMD-remove_ffff = s/::ffff://g | |
| SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g |