https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753119#M119582 <P>It's hard to evaluate the expressions without sample data, but I have doubts about the number of escape characters (particularly "\\s*").&nbsp; Have you used <A href="https://regex101.com" target="_blank" rel="noopener">regex101.com</A> to verify the expressions?</P> Mon, 15 Sep 2025 20:48:42 GMT richgalloway 2025-09-15T20:48:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753109#M119577 <P>Can anyone give me some examples of using&nbsp;STOP_PROCESSING_IF in transforms.conf? Seems there is no examples exists within transforms.conf.example<BR /><BR />Can I use it to stop processing events once match a regex?</P> Mon, 15 Sep 2025 16:52:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753109#M119577 vincentwhn 2025-09-15T16:52:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753110#M119578 <P>I've seen that setting used like this</P><LI-CODE lang="markup">transforms.conf [mytransform] INGEST_EVAL = queue=if(condition, "nullQueue", queue) STOP_PROCESSING_IF = queue=="nullQueue"</LI-CODE><P>&nbsp;</P> Mon, 15 Sep 2025 17:06:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753110#M119578 richgalloway 2025-09-15T17:06:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753111#M119579 <P>Thanks for your reply.<BR /><BR />Can you also help to review below configs as well? Many Thanks.<BR /><BR /></P><P>[testlog]<BR />RULESET-ruleset_testlog = rule1, rule2, rule3, rule4<BR />RULESET_DESC-ruleset_testlog =</P><P>transforms.conf</P><P>[rule1]<BR />STOP_PROCESSING_IF = if(match(_raw, "\"Workload\"\\s*:\\s*\"?CRM\"?") and (match(_raw,"\"EntityName\"\\s*:\\s*\"?(appointment|contact|lead|list|msevtmgt_event|opportunity|ttr_couponmaster)\"?") or match(_raw, "\"Message\"\\s*:\\s*\"?ExportToExcel\"?")),false,true)</P><P>[rule2]<BR />INGEST_EVAL = _raw:=replace(_raw, "(\"(?!(?:EntityId|EntityName|Message|QueryResults|CorrelationId|InstanceUrl|Fields|Name|Value|UserId|Id|CreationTime|Workload|ResultStatus))[^\"]+\"\\s*:\\s*(?:\\{[^{}]*\\}|\\[[^\\[\\]]*\\]|\"(?:[^\"\\\\]|\\\\.)*\"|[^,}\\r\\n]+))", "")</P><P>[rule3]<BR />INGEST_EVAL = _raw:=replace(_raw, ",{2,}", ",")</P><P>[rule4]<BR />INGEST_EVAL = _raw:=replace(_raw, ",}\\s*$", "}")<BR /><BR />I would like to use rule1 to limit where those&nbsp;INGEST_EVAL applies. Am I doing anything wrong here?<BR />Applied above config but found no changes.</P> Mon, 15 Sep 2025 17:07:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753111#M119579 vincentwhn 2025-09-15T17:07:51Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753119#M119582 <P>It's hard to evaluate the expressions without sample data, but I have doubts about the number of escape characters (particularly "\\s*").&nbsp; Have you used <A href="https://regex101.com" target="_blank" rel="noopener">regex101.com</A> to verify the expressions?</P> Mon, 15 Sep 2025 20:48:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753119#M119582 richgalloway 2025-09-15T20:48:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753127#M119583 <P>Thanks for your reply. The problem is solved.<span class="lia-unicode-emoji" title=":beaming_face_with_smiling_eyes:">😁</span></P> Tue, 16 Sep 2025 08:08:00 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753127#M119583 vincentwhn 2025-09-16T08:08:00Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753135#M119585 <P>Please share the solution.</P> Tue, 16 Sep 2025 12:01:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753135#M119585 richgalloway 2025-09-16T12:01:49Z https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753196#M119591 <P>This is my sample log:<BR /><BR />{"AppAccessContext": {"AADSessionID": "f3a2b6d4-1234-4c89-9a67-8b2e5d7c9f01", "ClientAppId": "00000003-0000-0ff1-ce00-000000000000", "ClientAppName": "SharePoint Online", "CorrelationId": "e5d6a7b8-2345-4f90-8c12-9d8e7f6a5b4c", "TokenIssuedAtTime": "2025-09-16T05:12:33Z", "UniqueTokenId": "abc123xyz789", "UserObjectid": "d2f3a4b5-6789-4cde-9012-3456789abcde"}, "CreationTime": "2025-09-16T05:12:35Z", "Id": "9876543210", "Operation": "FileAccessed", "OrganizationId": "contoso.onmicrosoft.com", "RecordType": 6, "UserKey": "i:0#.f|membership|vincent.wong@contoso.com", "UserType": 0, "Version": 1, "Workload": "SharePoint", "ClientIP": "203.0.113.45", "UserId": "vincent.wong@contoso.com", "ApplicationiD": "spfx-app-12345", "AuthenticationType": "Federated", "BrowserName": "Edge", "BrowserVersion": "116.0.1938.81", "EventSource": "SharePoint", "GeoLocation": "HK", "IsManagedDevice": true, "ItemType": "File", "ListItemUniqueId": "b3c4d5e6-f789-4abc-9012-3456789def01", "Pleatform": "Windows", "Site": "<A href="https://contoso.sharepoint.com/sites/ProjectX" target="_blank">https://contoso.sharepoint.com/sites/ProjectX</A>", "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "WebId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "DeviceDisplayName": "Vincent-Laptop", "HighPriorityMediaProcessing": false, "ListBassType": 101, "ListServerTemplate": 101, "DestinationFileExtension": ".docx", "SourceFileExtension": ".docx", "SourceRelativeUrl": "/sites/ProjectX/Shared Documents/Report.docx", "SourceFileName": "Report.docx", "DestinationRelativeUrl": "/sites/ProjectX/Shared Documents/Report.docx", "DestinationFileName": "Report.docx", "ApplicationDisplayName": "Microsoft Office Word", "SiteUrl": "<A href="https://contoso.sharepoint.com/sites/ProjectX-prd-test" target="_blank">https://contoso.sharepoint.com/sites/ProjectX-prd-test</A>", "ObjectId": "<A href="https://contoso.sharepoint.com/sites/ProjectX/Shared" target="_blank">https://contoso.sharepoint.com/sites/ProjectX/Shared</A> Documents/Report.docx"}<BR /><BR /><BR />I use the config below to control if the log masking is enabled or not:<BR /><BR /></P><P>props.conf</P><P>[testlog]<BR />RULESET-SharePoint_log_filter = SharePoint_log_filter_control, SharePoint_log_filter_rule1, SharePoint_log_filter_rule2, SharePoint_log_filter_rule3, SharePoint_log_filter_rule4</P><P>transforms.conf</P><P>[SharePoint_log_filter_control]<BR />INGEST_EVAL = SharePoint_log_filter_control=if(match(_raw, "\"Workload\": \"SharePoint\".*\"SiteUrl\": \".*-prd.*\""), "match", "not_match")<BR />STOP_PROCESSING_IF = SharePoint_log_filter_control=="not_match"</P><P>[SharePoint_log_filter_rule1]<BR />INGEST_EVAL=_raw:=replace(_raw, "(\"(?!(?:Operation|SiteUrl|UserId|Workload))[^\"]+\"\\s*:\\s*(?:\\{[^{}]*\\}|\\[[^\\[\\]]*\\]|\"(?:[^\"\\\\]|\\\\.)*\"|[^,}\\r\\n]+))", "")</P><P>[SharePoint_log_filter_rule2]<BR />INGEST_EVAL=_raw:=replace(_raw, "(,\\s+)+", ", ")</P><P>[SharePoint_log_filter_rule3]<BR />INGEST_EVAL=_raw:=replace(_raw, ", }", "}")</P><P>[SharePoint_log_filter_rule4]<BR />INGEST_EVAL=_raw:=replace(_raw, "{, ", "{")</P> Wed, 17 Sep 2025 02:59:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-use-STOP-PROCESSING-IF-in-transforms-conf/m-p/753196#M119591 vincentwhn 2025-09-17T02:59:40Z