Hi craymore, a clarification: discard filters are always enabled on Indexers, instead sourcetype specifications are defined on Universal Forwarders when you have indexed extractions. This means that the discard problem isn't related to the position of discard filters. I think that the first thing is to test the filtering regex. To do this you can use Splunk itself (rex command). When you'll sure of your regex, choose is you have to discard some events and take all the otheres ot to take some events and discard the others. Thisis importanto in the props.conf and transforms.conf definition: if you have to discard some events and take all the others, you can use my above configurations; if instead your have to take some events and discard all the others use the following configurations: props.conf [source::/var/log/messages] TRANSFORMS-set= setnull, setparsing transforms.conf. [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = my_regex DEST_KEY = queue FORMAT = indexQueue In few words: in props.conf, the order of stanzas is: before the all events stanza, then the filtering stanza. If you want, share the regex for filtering and an example to test it. Bye. Giuseppe ... View more

I implemented the aformentionned settings in order to a have a redirect to the nullQueue for some entries and indeed it works as intended. Thank you for advice ! ... View more