Filtering the events using transforms

Splunk Enterprise

Hi,

I am trying to filter the events using LOGIN keyword and drop remaining events. I am trying with the below configuration and it is not working. Any suggestions please?

props.conf

[test_sourcetype]

TRANSFORMS-sample = test_authlog,setnull_test

transforms.conf

[test_authlog]

REGEX = (LOGIN)

DEST_KEY = queue

FORMAT = indexQueue

[setnull_test]

REGEX = (?!LOGIN)

DEST_KEY = queue

FORMAT = nullQueue

Filtering the events using transforms

troubleshooting

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>

Filtering the events using transforms

troubleshooting

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>