it's not clear for me if you want to discard the events whereall the three conditions are true ( action="deny" scrip=10.12.55.55 dstip=192.168.10.0) or only events where the condition 1 and 2 or 3 are true ( action="deny" AND (scrip=10.12.55.55 OR dstip=192.168.10.0)).
If the first, the regex is easy:
Thanks for the response. I want to dump the events where action="deny" and scrip=10.12.55.55 are always present and there can be multiple dstip entries. Based on your answer, will the regex in transforms.conf look like this?