https://community.splunk.com/t5/Splunk-Search/REGEX-transforms-conf-NOT-operator/m-p/44788#M10577 <P>Have you looked at the docs?</P> <P>If you have a known event that you do NOT want, you can use a matching REGEX to send that event to the <CODE>nullQueue</CODE>. The rest are automatically sent to the <CODE>parsingQueue</CODE>.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest" target="_blank">http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest</A></P> <P>If you want to only keep a known set of events, you do as you did above, i.e. set the queue to <CODE>nullQueue</CODE> for all events, and then overwrite that with <CODE>parsingQueue</CODE> for the events you wish to keep.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest" target="_blank">http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> <P>UPDATE:<BR /> Saw that you send the events to <CODE>indexQueue</CODE>. You might be right but you probably want the <CODE>parsingQueue</CODE>.<BR /> Hope this helps,</P> <P>Kristian</P> Mon, 28 Sep 2020 11:46:38 GMT kristian_kolb 2020-09-28T11:46:38Z https://community.splunk.com/t5/Splunk-Search/REGEX-transforms-conf-NOT-operator/m-p/44787#M10576 <P>Hi Splunkers</P> <P>I'm new to splunk and currently playing around with the heavy forwarder. I found here several examples how to match a specific string in an event and only forward that event to the indexer. However, I could not find the opposite.</P> <P>Here is what I would like to do.</P> <P>Let's say in /var/log/messages we have those two log entries:</P> <P><CODE>May 7 08:00:14 &lt;host&gt; &lt;user&gt;: Splunk, get that line!<BR /> May 7 08:01:45 &lt;host&gt; &lt;user&gt;: Splunk, miss that line!</CODE></P> <P>My props.conf contains:</P> <P><CODE>[source::/var/log/messages]<BR /> TRANSFORMS-set=setnull,ignore</CODE></P> <P>My transforms.conf contains:</P> <P><CODE>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</CODE></P> <P><CODE>[ignore]<BR /> REGEX = !miss<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</CODE></P> <P>I have tryed several regex for the <STRONG>NOT miss</STRONG> part. So far I have not found any solution. Again, my goal is not to match the first line. I know how that is done. I want to match everything except something with a key word. At the end I should be able to exclude known events and always receive on my indexer what is wanted or sofar unknown.</P> <P>Thank you for your help</P> Mon, 07 May 2012 14:25:58 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-transforms-conf-NOT-operator/m-p/44787#M10576 aspa 2012-05-07T14:25:58Z https://community.splunk.com/t5/Splunk-Search/REGEX-transforms-conf-NOT-operator/m-p/44788#M10577 <P>Have you looked at the docs?</P> <P>If you have a known event that you do NOT want, you can use a matching REGEX to send that event to the <CODE>nullQueue</CODE>. The rest are automatically sent to the <CODE>parsingQueue</CODE>.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest" target="_blank">http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest</A></P> <P>If you want to only keep a known set of events, you do as you did above, i.e. set the queue to <CODE>nullQueue</CODE> for all events, and then overwrite that with <CODE>parsingQueue</CODE> for the events you wish to keep.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest" target="_blank">http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> <P>UPDATE:<BR /> Saw that you send the events to <CODE>indexQueue</CODE>. You might be right but you probably want the <CODE>parsingQueue</CODE>.<BR /> Hope this helps,</P> <P>Kristian</P> Mon, 28 Sep 2020 11:46:38 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-transforms-conf-NOT-operator/m-p/44788#M10577 kristian_kolb 2020-09-28T11:46:38Z https://community.splunk.com/t5/Splunk-Search/REGEX-transforms-conf-NOT-operator/m-p/44789#M10578 <P>Hello Kristian</P> <P>Thank you for your reply. I figured out where my failure was in the configuration. Your post helped me a lot!</P> <P>I just post shortly my solution:</P> <P>The props.conf remains almost the same as above:</P> <P><CODE>[source::/var/log/messages]<BR /> TRANSFORMS-set=ignore</CODE></P> <P>The transforms.conf changed the most and is now shorter:</P> <P><CODE>[ignore]<BR /> REGEX = miss<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</CODE></P> <P>By sending the event matching the REGEX to the nullQueue, the event is not forwarded to the indexer.</P> Tue, 08 May 2012 12:35:35 GMT https://community.splunk.com/t5/Splunk-Search/REGEX-transforms-conf-NOT-operator/m-p/44789#M10578 aspa 2012-05-08T12:35:35Z