Hi Splunk Community, We’re currently trying to drop specific logs using props.conf and transforms.conf, but our configuration doesn’t seem to be working as expected. Below is a summary of what we’ve done: transforms.conf [eliminate-accesslog_coll_health] REGEX = ^.*(?:H|h)ealth.* DEST_KEY = queue FORMAT = nullQueue [eliminate-accesslog_coll_actuator] REGEX = ^.*actuator.* DEST_KEY = queue FORMAT = nullQueue props.conf [access_combined] TRANSFORMS-set = eliminate-accesslog_coll_actuator, eliminate-accesslog_coll_health [iis] TRANSFORMS-set = eliminate-accesslog_coll_health [(?::){0}kube:*] TRANSFORMS-set = eliminate-accesslog_coll_actuator The main issue is that events are not being dropped, even when a specific sourcetype is defined (like access_combined or iis). Additionally, for logs coming from Kubernetes, there is no single consistent sourcetype, so we attempted to match using [source::] logic via a regex ([(?::){0}kube:*]), but this doesn’t seem to be supported in this context. From what we've read in the documentation, it looks like regex patterns for [source::] are not allowed in props.conf, and must instead be written explicitly. Is that correct? And if so, what’s the best way to drop events from dynamic sources or where the sourcetype is inconsistent? Any help or suggestions would be greatly appreciated. Thanks in advance!
... View more