https://community.splunk.com/t5/Getting-Data-In/Log-filtering-before-indexing/m-p/669332#M112225 <P>I want to filter the palo logs at the forwarder level by looking at the packet before indexing (licensing) based certain condition like... zone, firewall name (enterprise) etc</P><P>The logs come to both our UF &amp; HF, what is the best way to achieve it.</P><P>Was looking into a few docs suggesting to apply ingest eval, is that feasible?</P><P>Can anyone please help me with this.</P> Tue, 21 Nov 2023 14:14:39 GMT NeharikaVats 2023-11-21T14:14:39Z https://community.splunk.com/t5/Getting-Data-In/Log-filtering-before-indexing/m-p/669332#M112225 <P>I want to filter the palo logs at the forwarder level by looking at the packet before indexing (licensing) based certain condition like... zone, firewall name (enterprise) etc</P><P>The logs come to both our UF &amp; HF, what is the best way to achieve it.</P><P>Was looking into a few docs suggesting to apply ingest eval, is that feasible?</P><P>Can anyone please help me with this.</P> Tue, 21 Nov 2023 14:14:39 GMT https://community.splunk.com/t5/Getting-Data-In/Log-filtering-before-indexing/m-p/669332#M112225 NeharikaVats 2023-11-21T14:14:39Z https://community.splunk.com/t5/Getting-Data-In/Log-filtering-before-indexing/m-p/669336#M112226 <P>You need to direct the "unwanted" events to a nullqueue</P> Tue, 21 Nov 2023 14:45:13 GMT https://community.splunk.com/t5/Getting-Data-In/Log-filtering-before-indexing/m-p/669336#M112226 ITWhisperer 2023-11-21T14:45:13Z https://community.splunk.com/t5/Getting-Data-In/Log-filtering-before-indexing/m-p/669344#M112228 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/262672">@NeharikaVats</a>&nbsp;,</P><P>you can filter your logs before indexing following the instructions at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A></P><P>You have to apply these configurations in the first Heavy Forwarder you have in your infrastructure.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 21 Nov 2023 15:05:28 GMT https://community.splunk.com/t5/Getting-Data-In/Log-filtering-before-indexing/m-p/669344#M112228 gcusello 2023-11-21T15:05:28Z