I have an Apache instance with Splunk Forwarder installed that sends logs to Splunk Cloud directly (no heavy forwarders).
In the /var/log/httpd/error_logs, we have tons of entries from our load balancer to check the status:
[Thu May 14 12:11:42.799506 2020] [rewrite:trace2] [pid 26491:tid mod_rewrite.c(470): [client 10.2.35.111:29429] 10.2.35.111 - - [10.2.35.111/sid#559b685a5a10][rid#559b689f9aa0/initial] init rewrite engine with requested uri /en/healthcheck.html
How do I exclude this before going to Splunk Cloud Indexer?
I tried adding props.conf and transforms.conf under /opt/splunkforwarder/etc/system/local/ but did not work.