Solved: How to exclude the MicrosoftTeams Workload log?

ssanplunk · ‎12-12-2018

Hi all,

I am using Splunk Add-on for Microsoft Cloud Services.
The collected Workload types are as follows.
- AzureActiveDirectory
- MicrosoftTeams
- Exchange

Of the above Workloads, the microsoftteams log is not needed and I do not want to index the splunk.
Is there a way to exclude the log whose workload is MicrosoftTeams when it proceeds to index?

hkubavat_splunk · ‎01-20-2019

No, There is no way to exclude a particular workload log in MSCS addon. It will fetch all the log through management activity API.

View solution in original post

ssanplunk · ‎01-20-2019

I used "TRANSFORMS-filter" to exclude a particular workload log.

props.conf

# add TRANSFORMS-filter
[ms:o365:management]
TRANSFORMS-filter = o365null

transforms.conf

# if it match the regex, go to nullQueue
[o365null]
REGEX = (MicrosoftTeams)
DEST_KEY = queue
FORMAT = nullQueue

Thanks!

hkubavat_splunk · ‎01-20-2019

No, There is no way to exclude a particular workload log in MSCS addon. It will fetch all the log through management activity API.

How to exclude the MicrosoftTeams Workload log?

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

How to exclude the MicrosoftTeams Workload log?

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console