DetectionLab/Vagrant/resources/splunk_server/transforms.conf

[powershell_rename_host]
DEST_KEY = MetaData:Host
SOURCE_KEY = MetaData:Source
REGEX = PowerShell_transcript\.([^\.]+)\.
FORMAT = host::$1

[wef_computername_as_host]
DEST_KEY = MetaData:Host
REGEX = (?m)ComputerName=(.+)
FORMAT = host::$1

[osquery_hostidentifier_as_host]
DEST_KEY = MetaData:Host
REGEX = hostIdentifier\"\:\"([^\"]+)\"
FORMAT = host::$1

[osquery_status_filter]
REGEX = (POST\srequest\sto\sURI|Refreshing\sconfiguration|not\sattaching|Executing\sscheduled\squery|Error\scasting)
DEST_KEY = queue
FORMAT = nullQueue

[autoruns_wineventlog_null]
REGEX = "C:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1"
DEST_KEY = queue
FORMAT = nullQueue

[removeEventDesc1]
LOOKAHEAD = 20000
REGEX = (?msi)(.*)This event is generated
DEST_KEY = _raw
FORMAT = $1

[removeEventDesc2]
LOOKAHEAD = 20000
REGEX = (?msi)(.*)The subject fields indicate
DEST_KEY = _raw
FORMAT = $1