Solved: How to exclude the MicrosoftTeams Workload log?

ssanplunk · ‎12-12-2018

Hi all,

I am using Splunk Add-on for Microsoft Cloud Services.
The collected Workload types are as follows.
- AzureActiveDirectory
- MicrosoftTeams
- Exchange

Of the above Workloads, the microsoftteams log is not needed and I do not want to index the splunk.
Is there a way to exclude the log whose workload is MicrosoftTeams when it proceeds to index?

hkubavat_splunk · ‎01-20-2019

No, There is no way to exclude a particular workload log in MSCS addon. It will fetch all the log through management activity API.

View solution in original post

ssanplunk · ‎01-20-2019

I used "TRANSFORMS-filter" to exclude a particular workload log.

props.conf

# add TRANSFORMS-filter
[ms:o365:management]
TRANSFORMS-filter = o365null

transforms.conf

# if it match the regex, go to nullQueue
[o365null]
REGEX = (MicrosoftTeams)
DEST_KEY = queue
FORMAT = nullQueue

Thanks!

hkubavat_splunk · ‎01-20-2019

No, There is no way to exclude a particular workload log in MSCS addon. It will fetch all the log through management activity API.

How to exclude the MicrosoftTeams Workload log?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!