Universal forwarders cannot filter events. You must use a heavy forwarder or put your props.conf settings on your indexers.
The SEDCMD setting is not correct. It must be in the format s/<search regex>/<replacement string>/ . Replacing the entire event string will not remove the event. To remove unwanted events, send them to nullQueue like so:
props.conf
[source:\path\to\log\log.txt]
TRANSFORMS-set = setnull,setparsing
transforms.conf
[setnull]
REGEX = (listening on the port|[Nn]o usable rule found)
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
... View more