Hi.
I'm trying to apply a rule for dropping and, meanwhile, get only some events in Indexers.

Here we are,

props.conf

[mysourcetype]
TRANSFORMS-filter = drop

transforms.conf

[drop]
REGEX = drop_event1|drop_event2|drop_eventX
DEST_KEY = queue
FORMAT = nullQueue

This is the standard way for dropping. And it works!

But, at the same time, i can't get a way to make both work with drop and get transformation,

props.conf

[mysourcetype]
TRANSFORMS-filter = drop,filter

transforms.conf

[drop]
REGEX = drop_event1|drop_event2|drop_eventX
DEST_KEY = queue
FORMAT = nullQueue

[filter]
REGEX = get_event1|get_event2|get_eventX
DEST_KEY = queue
FORMAT = indexQueue

I would like to explain Splunk 8,

1. FIRST: drop all events containing pattern regex "drop_event1|drop_event2|drop_eventX"
2. SECOND: get only events containing pattern regex "get_event1|get_event2|get_eventX"

It does not work! Splunk, after correctly dropping, gets all (".*"), except as said "drop_event1|drop_event2|drop_eventX" 😪

Any suggestion?