I have merged several lines in to one event using Should_linemerge=true.
Now event looks like
abc
bcd
cde
efg
I want to sent the line cde to null queue and remaining to index queue. If I match regex to "cde" and send to null queue(using transforms.conf) , whether that particular line consisting "cde" will be sent to nullqueue or the entire event associated with it will be moved to null queue?
You can only queue-route entire events. You can, however, SEDCMD
to strip the data, like this:
SEDCMD-removeCDE = s/[\r\n]+cde([\r\n]+)/\1/
http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf
Entire event will move to null queue