https://community.splunk.com/t5/Getting-Data-In/do-not-index-events-using-props-transforms-regex-help/m-p/505338#M86103 <P>Hi,</P><P>I would try to use some regex like this one:</P><P>&nbsp;</P><LI-CODE lang="markup">^.+screenconnect\.techmedia\.com\.au.+$</LI-CODE><P>&nbsp;</P><P>I have tested it using Regex101 (<A href="https://regex101.com/r/gHJVDp/2" target="_blank" rel="noopener">https://regex101.com/r/gHJVDp/2</A>), with the URLs below:</P><P>&nbsp;</P><LI-CODE lang="markup">screenconnect.techmedia.com.au screenconnect2.techmedia.com.au screenconnect.techmedia10.com.au</LI-CODE><P>&nbsp;</P><P>* I also recommend you to test this regex (and any other you build or find) in a dev environment, before using it in your production transforms.conf file.</P> Sat, 20 Jun 2020 14:25:06 GMT alonsocaio 2020-06-20T14:25:06Z https://community.splunk.com/t5/Getting-Data-In/do-not-index-events-using-props-transforms-regex-help/m-p/504031#M85946 <P>Hi</P><P>A recent agent install across our infrastructure has created a flood in the proxy logs of blocked messages which is blowing out our license.</P><P>Until there is a proper fix I need to stop ingesting events related to 1 URL.</P><P>I think&nbsp; I just need help with the REGEX part.</P><P>Log are dropped to a syslog server running a heavy forwarder, then we run a monitor on that log file.</P><P>Inputs.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[monitor:///remotesyslogs/mgmt-austaiaecho00*/*.log] disabled = false index = star_proxy sourcetype = cisco:wsa:squid</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>props.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[cisco:wsa:squid] TRANSFORMS-screen=eliminate-screenconnect</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>transforms.conf</P><P>&nbsp;</P><LI-CODE lang="markup">[eliminate-screenconnect] REGEX = ?.=screenconnect DEST_KEYi = queue FORMAT = nullQueue</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Example event from log file:</P><P>&nbsp;</P><LI-CODE lang="markup">2020-06-12T04:04:55+10:00 mgmt-austaiaecho005.casino.internal accesslogs_splunk: Info: 1591898695.320 0 10.10.216.100 TCP_DENIED/407 0 CONNECT tunnel://screenconnect.techmedia.com.au:8080/ - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE &lt;-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"&gt; - - "12/Jun/2020:04:04:55 +1000" -</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Basically for next 4 weeks I need to drop all events with</P><P>&nbsp;</P><LI-CODE lang="markup"> screenconnect.techmedia.com.au</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P><P>Mark</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 12 Jun 2020 02:31:03 GMT https://community.splunk.com/t5/Getting-Data-In/do-not-index-events-using-props-transforms-regex-help/m-p/504031#M85946 mjm295 2020-06-12T02:31:03Z https://community.splunk.com/t5/Getting-Data-In/do-not-index-events-using-props-transforms-regex-help/m-p/505338#M86103 <P>Hi,</P><P>I would try to use some regex like this one:</P><P>&nbsp;</P><LI-CODE lang="markup">^.+screenconnect\.techmedia\.com\.au.+$</LI-CODE><P>&nbsp;</P><P>I have tested it using Regex101 (<A href="https://regex101.com/r/gHJVDp/2" target="_blank" rel="noopener">https://regex101.com/r/gHJVDp/2</A>), with the URLs below:</P><P>&nbsp;</P><LI-CODE lang="markup">screenconnect.techmedia.com.au screenconnect2.techmedia.com.au screenconnect.techmedia10.com.au</LI-CODE><P>&nbsp;</P><P>* I also recommend you to test this regex (and any other you build or find) in a dev environment, before using it in your production transforms.conf file.</P> Sat, 20 Jun 2020 14:25:06 GMT https://community.splunk.com/t5/Getting-Data-In/do-not-index-events-using-props-transforms-regex-help/m-p/505338#M86103 alonsocaio 2020-06-20T14:25:06Z https://community.splunk.com/t5/Getting-Data-In/do-not-index-events-using-props-transforms-regex-help/m-p/505364#M86109 <LI-CODE lang="markup">[eliminate-screenconnect] REGEX = screenconnect\.techmedia\.com\.au DEST_KEY = queue FORMAT = nullQueue</LI-CODE><P>A simple REGEX is enough for nullQueue.</P> Sun, 21 Jun 2020 01:02:18 GMT https://community.splunk.com/t5/Getting-Data-In/do-not-index-events-using-props-transforms-regex-help/m-p/505364#M86109 to4kawa 2020-06-21T01:02:18Z