i try with this :
In props.conf, set the TRANSFORMS-null attribute:
Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":
REGEX = [sshd]
DEST_KEY = queue
FORMAT = nullQueue
Restart Splunk Enterprise.
In theory his original regex would have matched as well (and many events it shouldn't have). Since it matches any event that has an s, h or d character in it.
A couple of other things to take into account:
- ensure this is on the first HF / Indexer that touches the data
- make sure that transforms stanza is actually unique. "setnull" is quite generic and might conflict with another transforms config you have under that same name
- you say "event still exist": realize that deploying this config will only affect events ingested from now on. So when validating also make very sure you are only looking at events ingested after the change was done.