Hi, I tried to filter events on version 2.30.0 based on v1.110.0 configuration, but it failed to dropped events in version 2. I also have read the document but somehow it still not working. maybe something that I miss out. kindly advise

SC4S V1.110.0

$ cat vendor_product_by_source.csv
f_null_queue,sc4s_vendor_product,"null_queue"

$ cat vendor_product_by_source.conf
filter f_null_queue {
host(10.14.1.98)
or host(10.14.1.99)
or host("uk-test-intfw*" type(glob))
};

Result: Events from above host has been dropped and didn’t see it show in Splunk

SC4S v2.30.0
$ cat vendor_product_by_source.csv
f_null_queue,sc4s_vendor_product,"null_queue"

$ cat vendor_product_by_source.conf
filter f_null_queue {
host(10.14.1.98)
or host(10.14.1.99)
or host("uk-test-intfw*" type(glob))
};

Result: With the same statement as V1, events still continues flow into Splunk without filter.

I have follow the document and make changed as below

$ cat vendor_product_by_source.csv
f_cisco_asa,sc4s_vendor_product,cisco_asa
f_fortinet_fortios,sc4s_vendor_product,fortinet_fortios

$ cat vendor_product_by_source.conf
filter f_cisco_asa {
host(10.14.1.98)
or host(10.14.1.99)
};

filter f_fortinet_fortios {
host(uk-test-intfw*" type(glob))
};