We have to filter the data which has Result=pass, status=200 and send the other logs to Splunk. we have received the logs to splunk before adding props.conf and transforms.conf. we have the following configuration in props.conf & transforms.conf.  /opt/splunk/etc/apps/TA-AlibabaCloudSLS/default/transforms.conf [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = result\=200 DEST_KEY = queue FORMAT = indexQueue [cloudnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [cloudparsing] REGEX = result\=pass DEST_KEY = queue FORMAT = indexQueue   /opt/splunk/etc/apps/TA-AlibabaCloudSLS/default/props.conf [alibaba:cloudfirewall] TRANSFORMS-set= cloudnull,cloudparsing [alibaba:waf] TRANSFORMS-set= setnull,setparsing   But we are not receiving any logs to splunk for this although there are logs in alibaba cloud. Below is the inputs.conf file   /opt/splunk/etc/apps/TA-AlibabaCloudSLS/local/inputs.conf [sls_datainput://Alibaba_Cloud_Firewall] event_retry_times = 0 event_source = alibaba:cloudfirewall event_sourcetype = alibaba:cloudfirewall hec_timeout = 120 index = ***** interval = 300 protocol = private sls_accesskey = ***** sls_cg = ****** sls_cursor_start_time = end sls_data_fetch_interval = 1 sls_endpoint = ******* sls_heartbeat_interval = 60 sls_logstore = ***** sls_max_fetch_log_group_size = 1000 sls_project = ******* unfolded_fields = {"actiontrail_audit_event": ["event"], "actiontrail_event": ["event"] }   [sls_datainput://Alibaba_waf] event_retry_times = 0 event_source = alibaba:waf event_sourcetype = alibaba:waf hec_timeout = 120 index = ***** interval = 300 protocol = private sls_accesskey = ****** sls_cg = ******* sls_cursor_start_time = end sls_data_fetch_interval = 1 sls_endpoint = **** sls_heartbeat_interval = 60 sls_logstore = ***** sls_max_fetch_log_group_size = 1000 sls_project = **** unfolded_fields = {"actiontrail_audit_event": ["event"], "actiontrail_event": ["event"] } ... View more