Splunk Search

Hi, I have a scenario to filter the logs events before they get index using HTTP events collector.

rashi83
Path Finder

I am using HTTP events collector on a search head directly. On this SH I am using API token to connect to get OKTA logs .
While doing this I am getting logs from other Opco's as well. Is there a way I can filter the events on SH before they get indexed or even after they get indexed.

I do not want events who has alternateid as 123@yahoo.com.

Sample log event -
{"outcome": {"result": "SUCCESS", "reason": null}, "transaction": {"type": "WEB", "detail": {}, "id": "Xo1bawKolLzMzd8K9kfu7QAAAfg"}, "uuid": "75a3359f-7956-11ea-bbe3-014a745a938e", "request": {"ipChain": [{"ip": "138.75.252.133", "source": null, "geographicalContext": {"postalCode": "18", "country": "Singapore", "city": "Singapore", "state": null, "geolocation": {"lon": 103.8547, "lat": 1.2929}}, "version": "V4"}, {"ip": "165.225.112.151", "source": null, "geographicalContext": {"postalCode": null, "country": null, "city": null, "state": null, "geolocation": {"lon": 105.0, "lat": 35.0}}, "version": "V4"}]}, "severity": "INFO", "version": "0", "eventType": "user.authentication.sso", "target": [{"type": "AppInstance", "detailEntry": {"signOnModeType": "SAML_2_0"}, "displayName": "Okta Org2Org", "id": "0oal0mtjt5nMLSHRs0h7", "alternateId": "CIAM MarshDev"}, {"type": "AppUser", "detailEntry": null, "displayName": "Mansi Mittal", "id": "0uam4poth8cW3A68j0h7", "alternateId": "123@gmail.com"}],

Tags (1)
0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

You can send these logs to null queue with below configurations in search head.
props.conf

 [sourcetype_name]
 TRANSFORMS-null_queue = data_nullq

transforms.conf

 [data_nullq]
 DEST_KEY = queue
 REGEX = \"alternateId\"\:\s\"123@gmail\.com\"
 FORMAT = nullQueue
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...