You can go to Settings > Usage to open up the “Manage Usage” page. Click on Add Rule. Fill out the fields (Sources, Apps, and Query are optional. You can either fill out all fields or only one)
"Preserve these lines for live-tail and alerting" checkbox;
if it's unchecked, then those matching log lines will not even go through the live tail. It will be completely ignored when we receive those.
If it's checked, then those matching log lines will go through the live tail. Since it's coming to a live tail, you can still set up an alert for those and get notified.
Step 1: Go to Settings > Usage
Step 2: On Manage Usage Page, click on Exclusion Rules, then click on Add Rule
Step 3:
You can name your exclusion based on your preference.
Sources, Apps, Query fields are optional. you don't have to fill out those fields. You might want to exclude all the log lines that are coming from a specific source, then you can just add the name of your source in that "Sources" field and can keep the other fields blank. Or the same thing for an app. You can also say exclude all the logs that are coming from a specific source(host) & app by filling out the "sources" and "apps" fields.
you can also either go more granular by adding an additional filter to exclude log lines that are coming from certain sources and apps that also includes maybe string "demo" or maybe "response:403" to exclude where the response is 403.
"Preserve these lines for live-tail and alerting" checkbox;
if it's unchecked, then those matching log lines will not even go through the live tail. It will be completely ignored when we receive those. And won't be stored in the ES, so you won't be charged.
If it's checked, then those matching log lines will go through the live tail. Since it's coming to a live tail, you can set up an alert for those and get notified. But it won't be stored in the ES, so you won't be charged.