I have tons of DNS queries in my enterprise on commercial legit domains (eg. partnerweb.vmware.com, login.live.com) which I don't want to log with Splunk Stream. My configuration is as follows but apparently it doesn't work:
TRANSFORMS-blacklist-vmwarecom = vmware.com
Any help would be appreciated.