This is a copy of the log header and how I currently have the props.conf and transforms.conf configured
props.conf
[bluecoat:proxysg:access:syslog]
TRANSFORMS-null = TrashHeader
transforms.conf
[TrashHeader]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue
Late answer but maybe it will benefit someone who searches for the same in the future:
You have ^# that will discard all events that start with #
Your props and transforms look fine.
I think the main question is when do you want to discard them? At index time you need to make sure you place them on the indexers (or in etc/system/local on single install of splunk). Also make sure you restart splunk to make the settings active.
Whatever you do make sure you troubleshoot if the props and transform settings are active.
Use btool:
$SPLUNK_HOME/bin/splunk cmd btool props list
Thank you for your response. Unfortunately, the Blue Coat header is still showing with the events
Can you try to replace your regex of REGEX=^#
to REGEX=^#.*$
and see if it works. See here for sample.
Thank you for your response. Unfortunately, the Blue Coat header is still showing with the events