On a standalone SH , we are pulling OKTA logs using OKTA Identity cloud app.
Need to filter events based on the email address . For example anything with *gmail.com should not be indexed.
Put props.conf and transforms .conf in location -
But still events are not getting filtered . Any suggestions?
Have you reboot splunk?
Yes I did .