https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415209#M94242 <P>Try changing transforms to this</P> <PRE><CODE> [setnull] REGEX = .* DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = action\=blocked DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> Mon, 20 Aug 2018 11:53:06 GMT jkat54 2018-08-20T11:53:06Z https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415204#M94237 <P>i need only recieve events with action=blocked from farwrders,</P> <P>my logs are :<BR /> Aug 18 12:56:13 192.168.X.X date=2018-08-18 time=12:50:36 devname="XXX" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1534580436 srcip=192.168.x.x srcname="SPLUNK" srcport=138 srcintf="internal" srcintfrole="lan" dstip=192.168.x.x dstport=138 dstintf=unknown-0 dstintfrole="undefined" sessionid=76899473 proto=17 action="deny" policyid=0 policytype="local-in-policy" service="udp/138" dstcountry="Reserved" </P> <P>i config my props.conf:</P> <PRE><CODE>[host::192.168.X.X] TRANSFORMS-null= setnull,setparsing </CODE></PRE> <P>and transforms.conf</P> <PRE><CODE>[setnull] REGEX = .* DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = (?m)^action=(blocked) DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>but when i do this forwarder doesn't receive any logs from my device,can you tell me where is my mistake?</P> Sat, 18 Aug 2018 11:04:24 GMT https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415204#M94237 khanlarloo 2018-08-18T11:04:24Z https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415205#M94238 <P>Your regex in the setnull is too broad. <CODE>.*</CODE> will match everything. Thus sending everything to null queue, and never to indexes.</P> <P>Your regex in setparsing is interesting.</P> <P><CODE>REGEX = (?m)^action=(blocked)</CODE></P> <P>This would only match events that begin with "action=blocked", but i dont understand why you have a capture group around (blocked). </P> Sat, 18 Aug 2018 16:33:31 GMT https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415205#M94238 jkat54 2018-08-18T16:33:31Z https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415206#M94239 <P>i have problem when i do this i don't receive any logs from my device in forwarder <BR /> where is my mistake? is this configuration right?</P> Sat, 18 Aug 2018 18:42:48 GMT https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415206#M94239 khanlarloo 2018-08-18T18:42:48Z https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415207#M94240 <P>What are you trying to do?</P> Sat, 18 Aug 2018 19:52:59 GMT https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415207#M94240 jkat54 2018-08-18T19:52:59Z https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415208#M94241 <P>i have one HF and i want to send specific field from my HF to receiver. <BR /> the field in my HF is action and i want HF just send field action=block to my receiver.</P> Mon, 20 Aug 2018 03:49:01 GMT https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415208#M94241 khanlarloo 2018-08-20T03:49:01Z https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415209#M94242 <P>Try changing transforms to this</P> <PRE><CODE> [setnull] REGEX = .* DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = action\=blocked DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> Mon, 20 Aug 2018 11:53:06 GMT https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415209#M94242 jkat54 2018-08-20T11:53:06Z https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415210#M94243 <P>i do this in my HF but it doesn't work.</P> Sun, 26 Aug 2018 05:56:22 GMT https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415210#M94243 khanlarloo 2018-08-26T05:56:22Z https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415211#M94244 <P>In your transforms, try putting nullQueue 2nd</P> <PRE><CODE>TRANSFORMS-null= setparsing, setnull </CODE></PRE> <P>Make sure you reload the data to see the effect </P> Sun, 26 Aug 2018 11:30:49 GMT https://community.splunk.com/t5/Getting-Data-In/forward-specified-events-to-reciever/m-p/415211#M94244 jkat54 2018-08-26T11:30:49Z