Hello everyone,
I have tons of DNS queries in my enterprise on commercial legit domains (eg. partnerweb.vmware.com, login.live.com) which I don't want to log with Splunk Stream. My configuration is as follows but apparently it doesn't work:
app: Splunk_TA_stream_wire_data
props.conf
[streamfwd://streamfwd]
TRANSFORMS-blacklist-vmwarecom = vmware.com
transforms.conf
[vmware.com]
REGEX=query\=partnerweb\.vmware\.com
DEST_KEY=queue
FORMAT=nullQueue
Any help would be appreciated.
Kind regards,
Chris