i try with this :
In props.conf, set the TRANSFORMS-null attribute:
[source::/var/log/messages]
TRANSFORMS-null= setnull
Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":
[setnull]
REGEX = [sshd]
DEST_KEY = queue
FORMAT = nullQueue
Restart Splunk Enterprise.

but the envent still exist !

Hello @aala

I think the issue is with the regex, it should be like:

[setnull]
REGEX = \[sshd\]
DEST_KEY = queue
FORMAT = nullQueue

Always test the regex first on https://regex101.com/ if the regex is able to match the event then it will work great.

And also no need to restart Splunk again and again for this, you can directly run on any browser:

http://<your-splunkserver>:8000/en-US/debug/refresh

In theory his original regex would have matched as well (and many events it shouldn't have). Since it matches any event that has an s, h or d character in it.

A couple of other things to take into account:
- ensure this is on the first HF / Indexer that touches the data
- make sure that transforms stanza is actually unique. "setnull" is quite generic and might conflict with another transforms config you have under that same name
- you say "event still exist": realize that deploying this config will only affect events ingested from now on. So when validating also make very sure you are only looking at events ingested after the change was done.