I am using Splunk Add-on for Microsoft Cloud Services.
The collected Workload types are as follows.
Of the above Workloads, the microsoftteams log is not needed and I do not want to index the splunk.
Is there a way to exclude the log whose workload is MicrosoftTeams when it proceeds to index?
No, There is no way to exclude a particular workload log in MSCS addon. It will fetch all the log through management activity API.
View solution in original post
I used "TRANSFORMS-filter" to exclude a particular workload log.
# add TRANSFORMS-filter
TRANSFORMS-filter = o365null
# if it match the regex, go to nullQueue
REGEX = (MicrosoftTeams)
DEST_KEY = queue
FORMAT = nullQueue