Solved: How to exclude the MicrosoftTeams Workload log?

ssanplunk · ‎12-12-2018

Hi all,

I am using Splunk Add-on for Microsoft Cloud Services.
The collected Workload types are as follows.
- AzureActiveDirectory
- MicrosoftTeams
- Exchange

Of the above Workloads, the microsoftteams log is not needed and I do not want to index the splunk.
Is there a way to exclude the log whose workload is MicrosoftTeams when it proceeds to index?

hkubavat_splunk · ‎01-20-2019

No, There is no way to exclude a particular workload log in MSCS addon. It will fetch all the log through management activity API.

View solution in original post

ssanplunk · ‎01-20-2019

I used "TRANSFORMS-filter" to exclude a particular workload log.

props.conf

# add TRANSFORMS-filter
[ms:o365:management]
TRANSFORMS-filter = o365null

transforms.conf

# if it match the regex, go to nullQueue
[o365null]
REGEX = (MicrosoftTeams)
DEST_KEY = queue
FORMAT = nullQueue

Thanks!

hkubavat_splunk · ‎01-20-2019

No, There is no way to exclude a particular workload log in MSCS addon. It will fetch all the log through management activity API.

How to exclude the MicrosoftTeams Workload log?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation