https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513068#M86997 <P>Here is a link the dataset and the regex.&nbsp; It is working on regexr but not in transforms.conf.&nbsp; I have tested by using . as my regex and it then sends all logs to the nullqueue so I know the stanzas are correct, it's a problem with the regex and I have not been able to figure it out.</P><P><SPAN><A href="https://regexr.com/59qu2" target="_blank">https://regexr.com/59qu2</A><BR /></SPAN></P><P><SPAN>Here are my stanzas from props.conf and transforms.conf</SPAN></P><P>props.conf<BR />[cs_replicator]<BR />TRANSFORMS-CS = EliminateCS2</P><P>&nbsp;</P><P>Transforms.conf<BR />[EliminateCS2]<BR />REGEX = (?:{"ScreenshotsTakenCount".*|{"ProcessCreateFlags").*<BR />DEST_Key = queue<BR />FORMAT = nullQueue<BR /><BR />Any help is appreciated.&nbsp;&nbsp;</P> Fri, 07 Aug 2020 18:08:38 GMT byeb1264 2020-08-07T18:08:38Z https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513068#M86997 <P>Here is a link the dataset and the regex.&nbsp; It is working on regexr but not in transforms.conf.&nbsp; I have tested by using . as my regex and it then sends all logs to the nullqueue so I know the stanzas are correct, it's a problem with the regex and I have not been able to figure it out.</P><P><SPAN><A href="https://regexr.com/59qu2" target="_blank">https://regexr.com/59qu2</A><BR /></SPAN></P><P><SPAN>Here are my stanzas from props.conf and transforms.conf</SPAN></P><P>props.conf<BR />[cs_replicator]<BR />TRANSFORMS-CS = EliminateCS2</P><P>&nbsp;</P><P>Transforms.conf<BR />[EliminateCS2]<BR />REGEX = (?:{"ScreenshotsTakenCount".*|{"ProcessCreateFlags").*<BR />DEST_Key = queue<BR />FORMAT = nullQueue<BR /><BR />Any help is appreciated.&nbsp;&nbsp;</P> Fri, 07 Aug 2020 18:08:38 GMT https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513068#M86997 byeb1264 2020-08-07T18:08:38Z https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513070#M86998 <P><SPAN>Transforms.conf</SPAN><BR /><SPAN>[EliminateCS2]</SPAN><BR /><SPAN>REGEX = ScreenshotsTakenCount|ProcessCreateFlags</SPAN><BR /><SPAN>DEST_Key = queue</SPAN><BR /><SPAN>FORMAT = nullQueue</SPAN></P><P>This is enough.</P> Fri, 07 Aug 2020 18:27:04 GMT https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513070#M86998 to4kawa 2020-08-07T18:27:04Z https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513076#M86999 <P>Thank you for the response.&nbsp; That regex is not working either.&nbsp;&nbsp;</P> Fri, 07 Aug 2020 18:45:36 GMT https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513076#M86999 byeb1264 2020-08-07T18:45:36Z https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513081#M87000 <P>[nullqueue_json]<BR />KV_MODE = json<BR />LINE_BREAKER = ([\r\n]+)<BR />NO_BINARY_CHECK = true<BR />category = Structured<BR />description = JavaScript Object Notation format. For more information, visit <A href="http://json.org/" target="_blank">http://json.org/</A><BR />disabled = false<BR />pulldown_type = true<BR />TIME_PREFIX = timestamp\":\"<BR />TRANSFORMS-CS = nullqueue_json<BR /><BR />my test setting.</P><P><STRONG>INDEXED_EXTRACTIONS=json</STRONG>&nbsp;interferes with <STRONG>nullqueue</STRONG>.<BR />try <STRONG>KV_MODE=json</STRONG></P> Fri, 07 Aug 2020 19:08:03 GMT https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513081#M87000 to4kawa 2020-08-07T19:08:03Z https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513095#M87003 <P>Thanks for the info.&nbsp; I am making progress but not quite there yet.&nbsp; I think the problem is with the line breaking.&nbsp; The events are being being separated properly which is causing the regex to fail.<BR /><BR />I am guessing that I just need the proper line_breaker regex and I will be good.&nbsp; The end of line character in the json logs is }&nbsp;<BR /><BR />I thought I could just use that as my line breaker but it's not working properly.&nbsp; I have tried the line breaks below.<BR /><BR /></P><P>LINE_BREAKER = }<BR /><SPAN>LINE_BREAKER = ([\r\n]+)</SPAN></P> Fri, 07 Aug 2020 20:50:07 GMT https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513095#M87003 byeb1264 2020-08-07T20:50:07Z https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513112#M87007 <P>LINE_BREAKER = (){<BR /><BR /><BR /></P> Fri, 07 Aug 2020 23:44:25 GMT https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513112#M87007 to4kawa 2020-08-07T23:44:25Z https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513556#M87086 <P>So now I have the line break and stanza correct as the events are finally being broken properly.&nbsp; The regex to send some of the events to nullqueue is still failing.&nbsp; I will post a sample of an event I want to go to nullqueu and see if anyone knows a regex that will catch the event and send it to nullqueue.&nbsp; I will also re-post my current stanzas.<BR /><BR />props.conf</P><P>[cs_replicator]<BR />TRANSFORMS-CS = EliminateCS2<BR />TRANSFORMS-CS = EliminateCS1<BR />KV_MODE = json<BR />LINE_BREAKER = (){<BR />SHOULD_LINEMERGE = false<BR />NO_BINARY_CHECK = false<BR />category = Structured<BR />description = JavaScript Object Notation format. For more information, visit <A href="http://json.org/" target="_blank">http://json.org/</A><BR />disabled = false<BR />TIME_PREFIX="timestamp":"<BR />TIME_FORMAT = %s%3N TZ=UTC<BR />pulldown_type = 1</P><P>transforms.conf</P><P>[EliminateCS1]<BR />REGEX = event_simpleName!=EndOfProcess<BR />DEST_Key = queue<BR />FORMAT = nullQueue</P><P>[EliminateCS2]<BR />REGEX = event_simpleName!=ProcessRollup2<BR />DEST_Key = queue<BR />FORMAT = nullQueue</P><P>&nbsp;</P><P>Sample raw event:</P><LI-CODE lang="markup">{"ProcessCreateFlags":"67109888","IntegrityLevel":"16384","ParentProcessId":"33794688676116","SourceProcessId":"33794688676116","aip":"97.78.178.74","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-18","event_platform":"Win","TokenType":"1","ProcessEndTime":"","ParentBaseFileName":"btool.exe","ImageSubsystem":"3","id":"c3385391-dbc9-11ea-a5c6-0266311e7407","EffectiveTransmissionClass":"3","SessionId":"0","Tags":"27, 29, 40, 53, 54, 12094627905582","timestamp":"1597147019837","event_simpleName":"ProcessRollup2","RawProcessId":"6140","ConfigStateHash":"2029599784","MD5HashData":"1d5d767be226372deafbc19e716951e5","SHA256HashData":"ca3799b190ffd79c910dc0a4395b5b1fc6dacbfc2b8dbf65328d2a5ca09dec5a","ProcessSxsFlags":"64","AuthenticationId":"999","ConfigBuild":"1007.3.0011406.1","WindowFlags":"384","CommandLine":"\"E:\\Program Files\\Splunk\\bin\\SplunkD.EXE\" btool web list","ParentAuthenticationId":"999","TargetProcessId":"33794689225796","ImageFileName":"\\Device\\HarddiskVolume3\\Program Files\\Splunk\\bin\\splunkd.exe","SourceThreadId":"439906675541924","Entitlements":"15","name":"ProcessRollup2V17","ProcessStartTime":"1597147019.397","ProcessParameterFlags":"24577","aid":"8abeeb6f90da4cf3abc45b5d6fdd79cf","cid":"0396954fdb9e4990ac33e9deb40e211b"}</LI-CODE> Tue, 11 Aug 2020 12:09:30 GMT https://community.splunk.com/t5/Getting-Data-In/Nullqueue-not-working/m-p/513556#M87086 byeb1264 2020-08-11T12:09:30Z