https://community.splunk.com/t5/Alerting/udp-514-input-exclusion/m-p/557234#M10615 <P>Thanks for your help! This did exactly what I was looking for.</P> Fri, 25 Jun 2021 18:47:17 GMT joeybroesky 2021-06-25T18:47:17Z https://community.splunk.com/t5/Alerting/udp-514-input-exclusion/m-p/556884#M10605 <P>We have logs coming in udp port 514 and want to exclude indexing events with the field "action" equaling "accept". We have tried inserting the following into the inputs.conf but does not work.</P><P>blacklist = action = "accept"</P><P>Please assist.</P> Wed, 23 Jun 2021 16:36:18 GMT https://community.splunk.com/t5/Alerting/udp-514-input-exclusion/m-p/556884#M10605 joeybroesky 2021-06-23T16:36:18Z https://community.splunk.com/t5/Alerting/udp-514-input-exclusion/m-p/556914#M10609 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/44020">@joeybroesky</a>&nbsp;</P><P>There seems no blacklist setting exist as per inputs conf -&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Inputsconf#UDP:" target="_blank">inputs.conf - Splunk Documentation</A></P><P>You can send the events to nullQueue to avoid indexing apply the following conf on HF/indexer.&nbsp;</P><LI-CODE lang="markup">#props.conf [your_udp_sourcetype/source::&lt;source&gt;/host::&lt;hostname&gt;] TRANSFORMS-null= setnull #transforms.conf [setnull] REGEX = action\s+=\s+\"accept\" DEST_KEY = queue FORMAT = nullQueue</LI-CODE><P>&nbsp;----</P><P>An upvote would be appreciated and accept solution if it helps!</P><DIV class="view-original-post-link">&nbsp;</DIV> Thu, 24 Jun 2021 00:47:21 GMT https://community.splunk.com/t5/Alerting/udp-514-input-exclusion/m-p/556914#M10609 venkatasri 2021-06-24T00:47:21Z https://community.splunk.com/t5/Alerting/udp-514-input-exclusion/m-p/557234#M10615 <P>Thanks for your help! This did exactly what I was looking for.</P> Fri, 25 Jun 2021 18:47:17 GMT https://community.splunk.com/t5/Alerting/udp-514-input-exclusion/m-p/557234#M10615 joeybroesky 2021-06-25T18:47:17Z