If my value is something like :

AAA\s[good\sverygood\swow]

then it should be like

[^AAA\s[good.verygood.wow]] right ? please suggest !!

those \s literal or regex spaces?

I am giving \s for denoting spaces and also giving \ before .

I have a string like

blah blah AAA [good.verygood.wow] blah blah

How about the docs approach of nulling everything and explicitly keep only the AAA [good events like this:

In props.conf:

[AAA_GOOD]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = AAA\s\[good
DEST_KEY = queue
FORMAT = indexQueue

I tend to setup things the way you can remember what they mean in two years from now.

I have done :

in props.conf

[AAA_GOOD]
SHOULD_LINEMERGE = false
TRANSFORMS-set = setnull,setparsing,add_host,BBB_MORE

in transforms.conf

[setnull]
REGEX= .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = AAA\s[good
DEST_KEY = queue
FORMAT = AAA_Index

[add_host]
SOURCE_KEY = MetaData:Host
REGEX = ^host::(.*)$
FORMAT = HS="$1" $0
DEST_KEY = _raw

[BBB_MORE]
REGEX=^(.?)\s(\d+-\d+-\d+)\s(\d+:\d+:\d+,\d+)\sAAA\s[good]\s[\d+]\s(\w+)\s::\s(.)
FORMAT=$1 AA=aa BB=bb CC="$2T$3" DD=$4 EE=$5
DEST_KEY = _raw

Please let me know if this is correct.

I am using my own index name "AAA_Index" instead of "indexQueue" in props.conf suggested by you. Is it correct ?

No that's wrong, you cannot specify an index in this case, because the DEST_KEY is queue. If you want to rewrite the index you must use this:

DEST_KEY = _MetaData:Index
FORMAT = AAA_Index

And as hint: provide such information in the initial question 😉 makes it easier to answer 🙂