https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-certain-emails-from-being-indexed/m-p/499086#M85075 <P>Hi @capilarity, <BR /> sorry few lines above:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest">https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest</A></P> <P>Ciao.<BR /> Giuseppe</P> Fri, 15 May 2020 15:54:44 GMT gcusello 2020-05-15T15:54:44Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-certain-emails-from-being-indexed/m-p/499083#M85072 <P>We have recently turned on journaling within MS Exchange which basically sends a copy of every item to a journaling mail box. We know the email address the process uses and this appears in the message tracking logs as additional emails - in short journaling has doubled our Splunk licence usage!!</P> <P>We would like to exclude the journaling email address from being indexed.<BR /> Exchange can't turn off message tracking for certain email addresses</P> <P>We are using UF on the Exchange servers with a load balanced intermediate level of Heavy forwarders.</P> <P>We have tried to apply the exclusion based on this answer - Answer 289736 - how to exclude a sourcetype from being indexed, but using a regex that picks up the journaling email address.</P> <P>The address we want to exclude is: <A href="mailto:journal@ev.local">journal@ev.local</A></P> <P>We've tried it on the Intermediate Heavy forwarders and on the index servers with no effect.</P> <P>The config we have applied is:</P> <P>props.conf<BR /> [MSExchange:2013:MessageTracking]<BR /> TRANSFORMS-JournalRemoval = JournalRemoval</P> <P>transforms.conf<BR /> [JournalRemoval]<BR /> REGEX =.*<A href="mailto:journal@ev">journal@ev</A>.*<BR /> DEST_KEY = queue<BR /> FORMAT = nullqueue</P> <P>Any ideas why this might not be working?<BR /> Thanks</P> Thu, 14 May 2020 12:23:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-certain-emails-from-being-indexed/m-p/499083#M85072 capilarity 2020-05-14T12:23:01Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-certain-emails-from-being-indexed/m-p/499084#M85073 <P>Hi @capilarity,<BR /> filter must be on Indexers if there isn't any Heavy Forwarders, otherwise on HFs.<BR /> the instruction to filter data are at <A href="https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest">https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest</A></P> <P>Anyway, in transforms.conf try one or the other of these regexes:</P> <PRE><CODE>REGEX=journal@ev REGEX=(journal@ev) </CODE></PRE> <P>Ciao.<BR /> Giuseppe</P> Thu, 14 May 2020 12:52:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-certain-emails-from-being-indexed/m-p/499084#M85073 gcusello 2020-05-14T12:52:18Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-certain-emails-from-being-indexed/m-p/499085#M85074 <P>Thanks Giuseppe, I had found the docs you highlighted but they are about including the ones that match the regex and discard the rest, we are trying to do the other way round, discard those that match, index the rest.</P> <P>I've also tried the different combinations of the regex you suggested on both the intermediate HF and the indexer.<BR /> Sill no luck <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Fri, 15 May 2020 15:13:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-certain-emails-from-being-indexed/m-p/499085#M85074 capilarity 2020-05-15T15:13:16Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-certain-emails-from-being-indexed/m-p/499086#M85075 <P>Hi @capilarity, <BR /> sorry few lines above:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest">https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest</A></P> <P>Ciao.<BR /> Giuseppe</P> Fri, 15 May 2020 15:54:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-exclude-certain-emails-from-being-indexed/m-p/499086#M85075 gcusello 2020-05-15T15:54:44Z