Hi all,
I am using Splunk Add-on for Microsoft Cloud Services.
The collected Workload types are as follows.
- AzureActiveDirectory
- MicrosoftTeams
- Exchange
Of the above Workloads, the microsoftteams log is not needed and I do not want to index the splunk.
Is there a way to exclude the log whose workload is MicrosoftTeams when it proceeds to index?
No, There is no way to exclude a particular workload log in MSCS addon. It will fetch all the log through management activity API.
I used "TRANSFORMS-filter" to exclude a particular workload log.
props.conf
# add TRANSFORMS-filter
[ms:o365:management]
TRANSFORMS-filter = o365null
transforms.conf
# if it match the regex, go to nullQueue
[o365null]
REGEX = (MicrosoftTeams)
DEST_KEY = queue
FORMAT = nullQueue
Thanks!
No, There is no way to exclude a particular workload log in MSCS addon. It will fetch all the log through management activity API.