https://community.splunk.com/t5/Monitoring-Splunk/Filter-DNS-debug-log-at-index/m-p/62929#M7174 <P>Hi henocqr</P> <P>your regex to pick up NOERROR would be <CODE>NOERROR</CODE>, but I think you want to pick up each event which contains NOERROR and route it to the null queue, right?<BR /> then the regex would be <CODE>.*NOERROR.*</CODE></P> <P>cheers</P> Thu, 02 Feb 2012 13:46:47 GMT MuS 2012-02-02T13:46:47Z https://community.splunk.com/t5/Monitoring-Splunk/Filter-DNS-debug-log-at-index/m-p/62928#M7173 <P>Hi</P> <P>I want to drop resolved DNS requests at index time.</P> <P>Windows 2008 DNS log format using Splunk 4.3</P> <P>Can anyone help me with the REGEX to pick up NOERROR from log format:-</P> <P>02/02/2012 11:19:06 1CB4 PACKET 0000000003C7A6C0 UDP Rcv 10.112.89.5 a3df Q [1001 D NOERROR] PTR .....</P> <P>I plan to send to null queue using props &amp; tranforms.</P> <P>Thanks<BR /> Ray</P> Thu, 02 Feb 2012 11:51:03 GMT https://community.splunk.com/t5/Monitoring-Splunk/Filter-DNS-debug-log-at-index/m-p/62928#M7173 henocqr 2012-02-02T11:51:03Z https://community.splunk.com/t5/Monitoring-Splunk/Filter-DNS-debug-log-at-index/m-p/62929#M7174 <P>Hi henocqr</P> <P>your regex to pick up NOERROR would be <CODE>NOERROR</CODE>, but I think you want to pick up each event which contains NOERROR and route it to the null queue, right?<BR /> then the regex would be <CODE>.*NOERROR.*</CODE></P> <P>cheers</P> Thu, 02 Feb 2012 13:46:47 GMT https://community.splunk.com/t5/Monitoring-Splunk/Filter-DNS-debug-log-at-index/m-p/62929#M7174 MuS 2012-02-02T13:46:47Z