Hi and thanks

Hm, so basically I could do something like:

props.conf

[source::/my/source/here]
TRANSFORMS-null= setnull

transforms.conf

[setnull]
REGEX = ^#[a-zA-Z]+: 
DEST_KEY = queue
FORMAT = nullQueue

In the same files where I define field extraction? Currently this TA lives on the search heads and the universal forwarder collecting the log. Do I need this TA anywhere else or would that be enough?

Thank you again

As per documentation: "Although similar to forwarder-based routing, queue routing can be performed by an indexer, as well as a heavy forwarder." Which means that you need to create a TA and deploy it to the indexer(s) or heavy forwarder (if your are using it).

The transforms file should be ok, if you are sure that events you want to keep, will not match provided REGEX.

Ah, the "caveat" at the end...

So yeah, I need to deploy the TA to the indexers to "skip" these header events once per 24h. Not sure I understand the manual here 100% though. Is it enough if this config is present on indexers and heavy forwarders, or should I push this to universal forwarder and search heads as well?

Regarding the regex, no events should ever start with # for this source, so that should be OK.

Thank you again! Fantastic feedback

You only need those props and transforms conf files on indexers/heavy forwarders.

Fantastic!

I'll mark the initial reply as the solution and se if I can get the configuration deployed. Fingers crossed