https://community.splunk.com/t5/Getting-Data-In/Send-the-logs-level-info-to-null-queue/m-p/671593#M112564 <P>Hi, I am trying to ignore the logs that have level info and want to send them to null queue:</P><P>example logs (not including the befor eand after pattern of the logs but its a json format and this is one of the fields):&nbsp;</P><P><SPAN>"</SPAN><SPAN class="">level</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">info</SPAN><SPAN>",</SPAN></P><P>&nbsp;</P><P><SPAN>I have tried below and it does not work, can someone help if this is correct or is there another way, the below is in heavy forwarder</SPAN></P><P><SPAN>props:</SPAN></P><P><SPAN>[abc]<BR />TRANSFORMS-null = infonull<BR /></SPAN></P><P>&nbsp;</P><P><SPAN>transforms</SPAN></P><P><SPAN>[infonull]<BR />SOURCE_KEY = level<BR />REGEX = info<BR />DEST_KEY = queue<BR />FORMAT = nullQueue<BR /></SPAN></P> Tue, 12 Dec 2023 15:22:00 GMT abhi04 2023-12-12T15:22:00Z https://community.splunk.com/t5/Getting-Data-In/Send-the-logs-level-info-to-null-queue/m-p/671593#M112564 <P>Hi, I am trying to ignore the logs that have level info and want to send them to null queue:</P><P>example logs (not including the befor eand after pattern of the logs but its a json format and this is one of the fields):&nbsp;</P><P><SPAN>"</SPAN><SPAN class="">level</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">info</SPAN><SPAN>",</SPAN></P><P>&nbsp;</P><P><SPAN>I have tried below and it does not work, can someone help if this is correct or is there another way, the below is in heavy forwarder</SPAN></P><P><SPAN>props:</SPAN></P><P><SPAN>[abc]<BR />TRANSFORMS-null = infonull<BR /></SPAN></P><P>&nbsp;</P><P><SPAN>transforms</SPAN></P><P><SPAN>[infonull]<BR />SOURCE_KEY = level<BR />REGEX = info<BR />DEST_KEY = queue<BR />FORMAT = nullQueue<BR /></SPAN></P> Tue, 12 Dec 2023 15:22:00 GMT https://community.splunk.com/t5/Getting-Data-In/Send-the-logs-level-info-to-null-queue/m-p/671593#M112564 abhi04 2023-12-12T15:22:00Z https://community.splunk.com/t5/Getting-Data-In/Send-the-logs-level-info-to-null-queue/m-p/671595#M112565 <P>Sample example logs:</P><P>{"timestamp":"2023-12-12T15:27:22.890Z","shortmessage":"(abc): def ghi","level":"info","source":"xyz,"file":"/home/abc/def.txt","line":144}</P> Tue, 12 Dec 2023 15:29:48 GMT https://community.splunk.com/t5/Getting-Data-In/Send-the-logs-level-info-to-null-queue/m-p/671595#M112565 abhi04 2023-12-12T15:29:48Z https://community.splunk.com/t5/Getting-Data-In/Send-the-logs-level-info-to-null-queue/m-p/671609#M112568 <P>"level" is not a valid value for SOURCE_KEY.&nbsp; Try _raw, instead.</P><LI-CODE lang="markup">[infonull] SOURCE_KEY = _raw REGEX = "level":"info" DEST_KEY = queue FORMAT = nullQueue</LI-CODE> Tue, 12 Dec 2023 16:17:48 GMT https://community.splunk.com/t5/Getting-Data-In/Send-the-logs-level-info-to-null-queue/m-p/671609#M112568 richgalloway 2023-12-12T16:17:48Z https://community.splunk.com/t5/Getting-Data-In/Send-the-logs-level-info-to-null-queue/m-p/671624#M112575 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P> Tue, 12 Dec 2023 17:25:37 GMT https://community.splunk.com/t5/Getting-Data-In/Send-the-logs-level-info-to-null-queue/m-p/671624#M112575 abhi04 2023-12-12T17:25:37Z