Hello guys, I am quite new on the topic so I really need tyour help ^_^. I am ingesting Zscaler logs in a Splunk Cloud instance using a HeavyForwarder and TCP Inputs. As for AUTH logs the volume is huge, we want to filter logs by limiting logs on following conditions: if one user is logging in one application today, all following logs for this user logging in that application in this specific day (month/date/year) would be discarded and we would start the ingesting next day using the same conditions. I hope this is pretty clear. I know that this can be done in prop.conf and transform.conf but I am not sure on how I should build the string. Thank you in advance.  ... View more