All Apps and Add-ons

Filter the data for OKTA application

rashi83
Explorer

Hi ,
On a standalone SH , we are pulling OKTA logs using OKTA Identity cloud app.
Need to filter events based on the email address . For example anything with *gmail.com should not be indexed.

Put props.conf and transforms .conf in location -
C:\Program Files\Splunk\etc\apps\TA-Okta_Identity_Cloud_for_Splunk\local

props.conf
[OktaIM2:log]
TRANSFORMS-set= setnull

transforms.conf
[setnull]
REGEX=gmail.com
DEST_KEY=queue
FORMAT=nullQueue

But still events are not getting filtered . Any suggestions?

0 Karma

to4kawa
SplunkTrust
SplunkTrust

Have you reboot splunk?

0 Karma

rashi83
Explorer

Yes I did .

0 Karma