Good day, This is my first time trying to filter data with props.conf/transform.conf.  Sorry if this post is in the wrong location. This is on a standalone Windows Splunk 8.0.3 box. I have placed the props.conf/transform.conf in the C:\Program Files\Splunk\etc\system\local directory. The data I want to filter out is the Rhttpproxy data from an ESXi host. <167>2020-11-20T15:12:26.668Z ESX01.test.com Rhttpproxy: verbose rhttpproxy[2101380] [Originator@6876 sub=Proxy Req 11290] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x0000005839540e50] _serverNamespace = /vpxa action = Allow _port = 8089 host = 192.168.10.10 process = Rhttpproxy source = tcp:514 sourcetype = syslog =========================== My current config is: props.conf [source::tcp:514] TRANSFORMS-null = setnull transform.conf [setnull] REGEX = rhttpproxy DEST_KEY = queue FORMAT = nullQueue ================================ Things I have tried -- [host::192.168.10.10] TRANSFORMS-null = setnull -- [host::192\.168\.10\.10] TRANSFORMS-null = setnull -- [syslog] TRANSFORMS-null = setnull -- [setnull] REGEX = verbose\srhttpproxy DEST_KEY = queue FORMAT = nullQueue -- [setnull] SOURCE_KEY = field:process REGEX = Rhttpproxy DEST_KEY = queue FORMAT = nullQueue -- I have read the documentation several times, and I am not just understanding it. https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Propsconf Thanks in advance. Aaron     ... View more