For syslog events, dropping events works in a different way. I was able to finally get it to work. Posting it here, so that it might help someone else who is facing the same kind of situation. Because of the way Splunk identifies and cooks a syslog, the syslog event ends up getting cooked using one of the configurations in the default props.conf called syslog-host We will have to override that so that the events get dropped first before Splunk tries to cook the event. For example, if we want to drop all syslog events coming from server that have expr in their names, then this needs to be done this way Ad this to prop.sconf #syslog [syslog] TRANSFORMS = drop_events_syslog, syslog-host And add drop_events_syslog in transforms.conf: [drop_events_syslog] REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|local.?)\.\w+\s+)*\[?(.*expr.*)\]?\s DEST_KEY = queue FORMAT = nullQueue The most important thing here is that, in props.conf, we have to mention our drop stanza first and then also mention the syslog-host stanza. This will ensure syslog-host stanza gets handled after drop gets handled.
... View more