Ok, this is interesting. So there seems to have been a large lag in when this (sorta) started working. Most events are being filtered now, but even though I have this set in the Main Indexer props/transforms.conf. One of the hosts is still getting these events indexed.

Any idea why it would be a specific host? Since its not a config on the universal forwarders, but rather the indexer itself it shouldn't require a reload deploy-server or anything, right?

haha, no problem, I've had that kind of week too. However all seems to be set up fine. The only thing I can think of trying, but didn't want to go randomly trying different solutions yet.

Is to try and specify a different source type in my input stanzas instead of the auto generated access-combined-wcookie that splunk assigns to access files and go from there. I wanted to see if someone had a simple explanation why this wasn't working first.

By comparing the props.conf stanza name to your sourcetype, which I could have done with the info you already supplied. Can you tell I'm in pre-vacation mode? 🙂

How would you verify it? it seems pretty straight forward, how would i check to see that its executing?

[access_combined_wcookie]>source type
TRANSFORMS-nullQ = nullFilter

Your REGEX appears to work fine with your sample event. Have you verified the right props.conf stanza is executing?

regex is in the tranforms, its straigh forward, if access log event has that in it, ignore it. The following works in search

index=test sourcetype="access_combined_wcookie"| regex _raw=HealthChecker

this should be returning nothing with my nullQueue set, but all the events are still being indexed

here is a sample event returned

1X.XXX.XX.XXX 1X.XXX.XX.XXX - - [22/May/2014:17:00:40 +0000] "GET /health.php HTTP/1.1" 200 58 "-" "ELB-HealthChecker/1.0" "-"