I have data coming from a single source but I want to send the events that match a REGEX to an index and all the other that not match it to another index. I have already tried to change the order of the fields into the TRANSFORMS_ but it still put the events in both indexes. This is the content of the props.conf file: [tmpproxy] TRANSFORMS_routing1 =CIDR_Routing_matched, CIDR_Routing_others and this is the content of the transforms.conf file: [CIDR_Routing_matched] REGEX =src_host\=(?:10\.10\.10\.\d{1,3}|) FORMAT = tmp_matched_proxy DEST_KEY=_MetaData:Index WRITE_META=true [CIDR_Routing_others] REGEX =.+ FORMAT = tmp_others_proxy DEST_KEY=_MetaData:Index WRITE_META=true Is it possible to stop the TRANSFORMS_ field in the props.conf file after the first good match? ... View more