I've tried to filter native event logs being indexed using the [WinEventLog...] sourcetype. Here are the config:
[WinEventLog:Security] TRANSFORMS-set = delete
[delete] REGEX = .*EventCode\=540.* DEST_KEY = queue FORMAT = nullQueue
Wondering if this is a bug?!
Though you don't actually say, I assume your problem is the events with EventCode 540 are not being dropped and that you want them to be. I do not know of any bugs in this area.
However, if that is what you are trying to do, one problem is that the "
answered 06 Mar '10, 07:17