topic Re: How do I discard all hosts that begin with ISE in transforms.conf? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-do-I-discard-all-hosts-that-begin-with-ISE-in-transforms/m-p/149193#M30379 <P>Does this read just the host field, or the entire raw event? </P> Wed, 12 Aug 2015 15:48:39 GMT a212830 2015-08-12T15:48:39Z How do I discard all hosts that begin with ISE in transforms.conf? https://community.splunk.com/t5/Getting-Data-In/How-do-I-discard-all-hosts-that-begin-with-ISE-in-transforms/m-p/149191#M30377 <P>Hi,</P> <P>I want to look at the host field and discard all hosts that begin with ISE. How would I do that? My understanding is that only certain regexes are available for host in transforms?</P> Thu, 30 Jul 2015 02:32:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-discard-all-hosts-that-begin-with-ISE-in-transforms/m-p/149191#M30377 a212830 2015-07-30T02:32:13Z Re: How do I discard all hosts that begin with ISE in transforms.conf? https://community.splunk.com/t5/Getting-Data-In/How-do-I-discard-all-hosts-that-begin-with-ISE-in-transforms/m-p/149192#M30378 <P>Like this:</P> <P>In <CODE>props.conf</CODE>:</P> <PRE><CODE>[yourSourceTypeHere] TRANSFORMS-remove_ISE_hosts = remove_ISE_hosts </CODE></PRE> <P>In <CODE>transforms.conf</CODE>:</P> <PRE><CODE>[remove_ISE_hosts] SOURCE_KEY = MetaData:Host REGEX = "^ISE" DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>You can read more about this at Filter Event Data and Send to Queues:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues">http://docs.splunk.com/Documentation/Splunk/6.2.4/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A></P> Fri, 31 Jul 2015 22:18:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-discard-all-hosts-that-begin-with-ISE-in-transforms/m-p/149192#M30378 woodcock 2015-07-31T22:18:37Z Re: How do I discard all hosts that begin with ISE in transforms.conf? https://community.splunk.com/t5/Getting-Data-In/How-do-I-discard-all-hosts-that-begin-with-ISE-in-transforms/m-p/149193#M30379 <P>Does this read just the host field, or the entire raw event? </P> Wed, 12 Aug 2015 15:48:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-discard-all-hosts-that-begin-with-ISE-in-transforms/m-p/149193#M30379 a212830 2015-08-12T15:48:39Z Re: How do I discard all hosts that begin with ISE in transforms.conf? https://community.splunk.com/t5/Getting-Data-In/How-do-I-discard-all-hosts-that-begin-with-ISE-in-transforms/m-p/149194#M30380 <P>It reads just the <CODE>host</CODE> field and if it starts with "ISE", the entire event will be skipped.</P> Fri, 14 Aug 2015 01:13:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-discard-all-hosts-that-begin-with-ISE-in-transforms/m-p/149194#M30380 woodcock 2015-08-14T01:13:10Z