So, basically you need to configure a nullQueue on the system that is cooking the data. Here is an example of dropping unwanted events from a windows security log:
Props.conf
[source::WMI:WinEventLog:Security]
TRANSFORMS-FilterEvent = FilterEvent560
Transforms.conf
[FilterEvent560]
REGEX = (?msi)^EventCode=560
DEST_KEY = queue
FORMAT = nullQueue
You will want to change the source in props.conf to match your source, and probably change the 'FilterEvent560' identifier to something that makes more sense to you, like 'dropLow'. You will also need to create a REGEX that matches what you want to drop.
If you have any questions let us know.
... View more