Remove syslog data in transforms.com

All Apps and Add-ons

I have a Splunk Heavy Forwarder server that is a rsyslog server as well.

When Splunk sees the syslog data, it sets the source type, then the index name before its sent to indexing.

props.conf

[rsyslog]
TRANSFORMS-force_vmware = force_sourcetype_vmware, force_ix_vmware

transforms.conf

force_sourcetype_vmware]
SOURCE_KEY = MetaData:Host
REGEX = ^host::(10\.30\.31\.\d+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::esxi


[force_ix_vmware]
SOURCE_KEY = MetaData:Sourcetype
REGEX = ^sourcetype::(?i)esxi$
DEST_KEY = _MetaData:Index
FORMAT = vmware

This works fine.

I now like to remove all lines (that are from vmware) that starts with:

<134>2021.....
<166>2021.....

To do so, I made a regex like this:

REGEX = ^<(134|166)>2021

I know that to remove some, I should use:

DEST_KEY = queue
FORMAT = nullQueue

But I do not get it to work. How to make sure only remove correct data from vmware only?

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest! As your trusted partner in data innovation, the ...