Hi there,

I'm experiencing difficulty in discarding certain events while they're passing through my heavyweight forwarder layer. I'm attempting to do so using a props.conf and transforms.conf.

The end to end traffic flow is architected in the following manner:

Java log appender -> HEC (based on Heavyweight Forwarder) -> Indexer <-> Search Head

The content of my props.conf is as follows:

[_json]
pulldown_type = true
INDEXED_EXTRACTIONS = json
KV_MODE = none
category = Structured
TRANSFORMS-set = setnull

The content of my transforms.conf is as follows:

[setnull]
REGEX = \"path\":\"\\\/status\”
DEST_KEY = queue
FORMAT = nullQueue

Here's an example of a message of which I'm trying to filter:

{"severity":"INFO","logger":"RL","thread":"omitted","message":{"path":"\/status","requestBody":null,"success":null,"query":null,"errorMessage":null,"startTime":"09:31:03.133","endTime":"09:31:03.133","httpMethod":"GET","operation":"StatusController.status","processingTime":0.0,"statusCode":0},"properties":{"start_time":"1524173463133","ua_family_version":"null.null","os_family":"omitted","customer_number":"omitted","requestID":"omitted","ua_family":"omitted","session_id":null,"device_family":"omitted","client_ip":"omitted","request_id":"omitted","os_family_version":"null.null"}}

After applying the props.conf and transforms.conf I've tried both restarted our Heavyweight Forwarders, as well as using the http://splunk.domain/en-US/debug/refresh/ URL to reload the config, but the logs are still being indexed despite this. This makes me suspect that my props.conf or transforms.conf are incorrectly formatted.

I've also tried completing this configuration directly at the Indexer but this has failed.

Essentially my desired outcome is that I want any message which has the "path" key defined as "/status" to be routed to null, and not be indexed, while all other traffic is indexed successfully.

If there's any assistance that could be offered in resolving this issue it would be greatly appreciated!

Thanks!