Based on this
I have identified the method
Keep specific events and discard the rest
Keeping only some events and discarding the rest requires two transforms. In this scenario, which is opposite of the previous, the setnull transform routes all events to nullQueue while the setparsing transform selects the sshd events and sends them on to indexQueue.
As with other index-time field extractions, processing of transforms happens in the order that you specify them, from left to right. The key difference is the order in which you specify the stanzas. In this example, the setnull stanza must appear first in the list. This is because if you set it last, it matches all events and sends them to the nullQueue, and as it is the last transform, it effectively throws all of the events away, even those that previously matched the setparsing stanza.
When you set the setnull transform first, it matches all events and tags them to be sent to the nullQueue. The setparsing transform then follows, and tags events that match [sshd] to go to the indexQueue. The result is that the events that contain [sshd] get passed on, while all other events get dropped.
[source:splunk://tcp:9997] TRANSFORMS-set= setnull,setparsing
[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = \[sshd\] DEST_KEY = queue FORMAT = indexQueue
What will be the regex if I want to regex by index?
Currently, I am receiving a copy from the event from a external Splunk indexer, and wish to filter the data out, before the data reach my Splunk indexer
Option1: Try like below to push to an index
[setparsing]
REGEX=\[sshd\]
DEST_KEY=_MetaData:Index
FORMAT=my_new_index
Option2: Another idea to try out is to ensure, the `sshd` type of data have a new sourcetype
[setparsing]
REGEX = \[sshd\]
FORMAT = sourcetype::mycustom:linux:sshd
DEST_KEY = MetaData:Sourcetype
and then in your props.conf. This way you can group relevant data into sourcetype which can then be pushed to relevant index