Now I need to test this. Sonce I have to do this via Splunk Web, I'm trying to set up these options in a new sourcetype, via the advanced options. I know I can set up a sourcetype to properly parse the events, but whenever I some of the code as new settings, Splunk automatically deletes them (as with TRANSFORMS-set=setnull,setparsing) or replaces them (I obviously cannot have two REGEX). Basically, is it even possible to set this up in Splunk Web? If so, can you link me to the relevant documentation. I don't have access to the backend, so I need to decide how to proceed.
P.S. If anyone has another way of whitelisting events, I'd like to hear about it.