Hi @ssoftility, if you want to filter your logs before indexing, you surely use less license for these logs but you have less logs for your searches: you cannot use the discarded logs. Anyway, with the only exception of WindEventLogs, logs can be filtered only on indexers or (when present) on heavy Forwarders. To do this, you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/8.2.3/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest in few word, on you Indexers you have to create a props.conf file containing: [your_sourcetype] TRANSFORMS-set= setnull,setparsing and a trandforms.conf like this: [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = CmScanStatistics DEST_KEY = queue FORMAT = indexQueue In this way you discard all logs except the ones containing "CmScanStatistics". Remember to restart Splunk if you manually modify files. Ciao. Giuseppe ... View more

Hi you need to add transforms.conf file where you are defining REGEX which match those lines which you want discard. Here is some examples  https://community.splunk.com/t5/Getting-Data-In/Filtering-events-using-NullQueue/m-p/66392 https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-debug-logs-except-3-different-log-types/m-p/180376 You could test your REGEX with regex101.com to work or use Splunk’s rex command in gui. R. Ismo ... View more