Does the text in the actual raw event contain the string?

dest_port=443

Because if it does not, you are probably referring to a field name that is extracted at search time. nullQueueing takes place during the parsing/indexing phase, and no fields are available then (apart from stuff like host, source etc). Also, make sure that you're editing the correct config files. nullQueueing takes place during the parsing phase, and depending on your setup, that might be on the indexer or on a Heavy Forwarder;

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad#Discard_specific_even...

[default]
TRANSFORMS-nullqueue_443= remove443

transforms.conf:

[remove443]
REGEX = dest_port=443
DEST_KEY = queue
FORMAT = nullQueue

But as you may have noticed, it does not seem to work. Please provide a few sample events. Also, I'm not 100% sure that you can put the TRANSFORM in props.conf under the [default] stanza. It's a rather unusual request, and I have never tried it.

If that does not work, (under default) then you might have to put the TRANSFORMS line in each source/sourcetype stanza that may contain data that you want to filter out.

EDIT: Typo in the stanza header in transforms.conf... fixed it.

/K