Initial commit

Vagrant/resources/splunk_server/props.conf

@@ -0,0 +1,14 @@
+[source::WinEventLog:*]
+TRANSFORMS-host = wef_computername_as_host
+
+[sourcetype::powershell_transcript]
+TRANSFORMS-powershell_rename_host = powershell_rename_host
+
+[powershell_transcript]
+BREAK_ONLY_BEFORE = THISREGEXDOESNTEXIST
+DATETIME_CONFIG =
+NO_BINARY_CHECK = true
+TIME_FORMAT = %Y%m%d%H%M%S
+TIME_PREFIX = Start\stime\:\s
+category = Custom
+pulldown_type = true

Vagrant/resources/splunk_server/transforms.conf

@@ -0,0 +1,10 @@
+[powershell_rename_host]
+DEST_KEY = MetaData:Host
+SOURCE_KEY = MetaData:Source
+REGEX = PowerShell_transcript\.([^\S]+)\.
+FORMAT = host::$1
+
+[wef_computername_as_host]
+DEST_KEY = MetaData:Host
+REGEX = (?m)ComputerName=(.+)
+FORMAT = host::$1