I have been using both the SEDCMD and nullQueue to remove unnecessary events and strings in particular events.
transforms.conf
REGEX = (Hostname:\slocalhost)
DEST_KEY = queue
FORMAT = nullQueue
Above transforms.conf will not index the events which contain hostname as localhost. Which is a good way to eliminate indexing unnecessary events like this. nullQueue will remove entire event and don't have the capability to remove string in the event instead of removing entire event. So I adopted to use SEDCMD to replace the particular string with empty space in all the events. But my question is if I use SEDCMD it will replace the string before indexing and send to nullQueue ?, so that daily indexing volume will increase. Can someone suggest on this?
↧