I have an index named myindex.
I'm trying to filter out lines that contain CRON entries in the auth.log, and send them to myindex. I'm using a negative regex search so any line that doesn't contain CRON matches, and therefore appear in myindex. I'm using the following transforms.config and props.config files.
[filter_out_cron] REGEX=^(?!.*CRON\[.*?\]:).*$ DEST_KEY=_MetaData:Index FORMAT=myindex
The auth.log lines with CRON entries are still appearing, but I can't tell why. Does this look like a configuration that should work?
Your settings are correct so it must be something else. If you are doing a sourcetype override/overwrite, you must use the ORIGINAL value, NOT the new value. You must deploy your settings to the first full instance(s) of Splunk that handle the events (usually either the HF tier if you use one, or else your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using
_index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events.