Basically you come up with props.conf and transforms.conf settings that get applied at index time (whether that's with the UI or by hand, either way). (if it's message that matches a Regex, you would typically have a TRANSFORMS attribute in props, pointing to a stanza in transforms.conf that when your regex matches, it sets the next Queue to the nullQueue. See the example at: http://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues
With Splunk Cloud, I'm not sure if you could log a ticket once you've developed the configuration and get them to plop your settings onto your indexers (I would think this falls into "Modifying the configuration settings of your Splunk Cloud deployment" that Splunk Support is supposed to be able to help you with per the FAQ but I'm not a Splunk Cloud customer). The alternative is where you setup a (group of) Heavy Weight (Intermediate) Forwarder(s) ... in this setup instead of having your existing forwarders send directly to Splunk Cloud, they send to the HWFs. The HWFs apply all the parsing and filtering rules, and only forwards on those that you want to. This gives you more instant control of course, with the cost of maintaining more systems and settings obviously.
... View more