All Apps and Add-ons
Highlighted

Filter the data for OKTA application

Explorer

Hi ,
On a standalone SH , we are pulling OKTA logs using OKTA Identity cloud app.
Need to filter events based on the email address . For example anything with *gmail.com should not be indexed.

Put props.conf and transforms .conf in location -
C:\Program Files\Splunk\etc\apps\TA-OktaIdentityCloudforSplunk\local

props.conf
[OktaIM2:log]
TRANSFORMS-set= setnull

transforms.conf
[setnull]
REGEX=gmail.com
DEST_KEY=queue
FORMAT=nullQueue

But still events are not getting filtered . Any suggestions?

0 Karma
Highlighted

Re: Filter the data for OKTA application

Ultra Champion

Have you reboot splunk?

0 Karma
Highlighted

Re: Filter the data for OKTA application

Explorer

Yes I did .

0 Karma