Trying to send all events with this contained to nullqueue:

Host Application = C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe -NoLogo -Noninteractive -NoProfile -ExecutionPolicy Bypass & 'C:\WINDOWS\CCM\SystemTemp\02160779-88dd-4e84-96cc-7a1313cd97d9.ps1'

Here are my props & transforms entries:

[WinEventLog:Splunk-PowerShell]
TRANSFORMS-suppress-ps = suppress-powershell

[suppress-powershell]
REGEX=^Host\s?Application\s?=\s?C:\\WINDOWS\\system32\\WindowsPowerShell\\v1\.0\\PowerShell\.exe\s-NoLogo\s-Noninteractive\s-NoProfile\s-ExecutionPolicy\sBypass\s&\s'C:\\WINDOWS\\CCM\\SystemTemp\\[\d\w]{8}-[\d\w]{4}-[\d\w]{4}-[\d\w]{4}-[\d\w]{12}\.ps1'(\sFalse)?
DEST_KEY=queue
FORMAT=nullQueue

Matches when I use regex checkers like regexr. I've seen people suggest both double backslash and four backslashes for escaping, not sure which is appropriate for transforms. Using the four backslashes and the regex command in the search does work, but I need these events filtered out of indexing. I'd also like to use (?i) as a modifier for case insensitivity, but I need to get this part working first.