I'm trying to remove some of the events that should be forwarded to the frontend.
From a configuration perspective everything is OK.
transforms.conf
[nullMon]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[routeRemains]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT= tcp_out
props.conf
[source_log]
TRANSFORMS = nullMon, routeRemains
But I'm receiving everything on the destination host.
Does the Universal Forwarder allow the use of nullQueues?
No, since nullQueue tranformations take place during the parsing phase, this configuration is only valid on either a Heavy Forwarder or an Indexer.
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
/K
No, you'd need to configure this transform on an indexer or heavy forwarder. See http://docs.splunk.com/Documentation/Splunk/6.0/Indexer/Howindexingworks
No, since nullQueue tranformations take place during the parsing phase, this configuration is only valid on either a Heavy Forwarder or an Indexer.
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
/K