In configuring Rules for Splunk Ingest Actions I have a sourcetype configured for numerous "Filter with Regular expression" stanzas that is properly dropping events ...
However, I'd like to have the same sourcetype drop messages where host=foo-* ...
I might be able to use the eval expression to do that, but I'm not sure how to construct it in a format acceptable to the UI, and functionally appropriate.
eval true = if(match(host,"^foo-"),true,null())
I'm sure that's wrong, but there really are no examples that I've been able to find other than "true()"
I know this is quite a late response, but you should be able to accomplish this with using the "Filter using Regex".
Select "host" for Source Field
In "Drop Events Matching Regular Expression", enter ^foo-
That will set it so any events with the host field value, that starts with foo- will be dropped.