The filter will not affect events that have already been indexed, and the configs should be on the indexer or heavy forwarder that is doing the indexing. If you put the configs on the universal forwarder it will not work.

Are you making the configurations in the correct file/on the correct host?

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

Using my configuration and just changing the regex that you provided still doesn't work the filter with the events that I posted.

I did not see it as a question, either. And while your configuration (read: the regex) might work fine now, it is far safer to use the one I suggested below. Counting sequences of "non-dots followed by a dot" can break if there is an extra dot somewhere in an event, prior to the status code.

/k

Thanks,

After all, the question is that with this configuration I can't filter events 200.

That seems like a very complicated (and possibly error-prone) regex for finding the events you want to filter out. Since the end of the message is much more predictable, it seems more convenient to anchor the regex there. Suggestion;

props.conf

[webexchange]
TRANSFORMS-set= descartar

transforms.conf

[descartar]
REGEX = \s200\s\d+\s\d+$
DEST_KEY = queue
FORMAT = nullQueue

/k

This is done by defining a regex to match the necessary event(s) and send everything else to nullqueue

Here is a basic example that will drop everything except events that contain the string login
In props.conf:

[source::/var/log/foo]

Transforms must be applied in this
order to make sure events are dropped
on the floor prior to making their way
to the index processor

TRANSFORMS-set= setnull,setparsing
In transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = login
DEST_KEY = queue
FORMAT = indexQueue

Do you have a question?