This can be done by defining a REGEX to match the necessary EVENT(s) and send everything else to nullqueue.Here is a basic example that will drop everything except events that contain the string LOGIN In props.conf:
<code>[source::/var/log/foo]
# Transforms must be applied in this order
# to make SURE events are dropped on the
# FLOOR prior to making their way to the
# index processor
TRANSFORMS-set= setnull,setparsing
</code>

 In transforms.conf
[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue
[setparsing]
REGEX = login
DEST_KEY = queue
FORMAT = indexQueue

This can be done by defining a regex to match the necessary event(s) and send everything else to nullqueue.Here is a basic example that will drop everything except events that contain the string login In props.conf:
<code>[source::/var/log/foo]
# Transforms must be applied in this order
# to make sure events are dropped on the
# floor prior to making their way to the
# index processor
TRANSFORMS-set= setnull,setparsing
</code>

 In transforms.conf
[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue
[setparsing]
REGEX = login
DEST_KEY = queue
FORMAT = indexQueue