https://community.splunk.com/t5/Getting-Data-In/Filtering-Cisco-ASA-Session-log-to-remove-logging-for-a-session/m-p/529317#M89180 <P>Hi, I meant I want to keep ID<SPAN>302013. But I don't&nbsp;want to keep&nbsp; ID302013 if it contains a specific IP address.</SPAN></P><P><SPAN>I wanted to try and simplify the set up rather than have multiple&nbsp;servers, we don't&nbsp;have much resource here, but may have to look and see if there a syslog server that may make the filtering bit a bit easier. The way to filter in Splunk doesn't&nbsp;look the easiest to implement, which is why I&nbsp;did as much as I could from the source device.&nbsp;</SPAN></P> Fri, 13 Nov 2020 15:12:23 GMT timoggy 2020-11-13T15:12:23Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Cisco-ASA-Session-log-to-remove-logging-for-a-session/m-p/529286#M89175 <P>Hi,</P><P>I'm very new to Splunk,&nbsp; and struggling to find a way to filter a specific log which is consuming a large proportion of my license.</P><P>I have a Cisco ASA set up to send events to Splunk UDP port as syslog. I've restricted the logs to what I want to see by using the Built in filter tools within the ASA.&nbsp;</P><P>From what I can see within the forum, there are lots of people asking how to filter based off Syslog ID, but I want to filter out based off Syslog ID 302013 and IP xxx.xxx.xxx.xxx, as I want to keep 302013 apart from anything containing that specific IP.</P><P>I don't even know where to start, but I know this can't be done from the cisco device, so has to be done on the Splunk server.</P><P>Would really appreciate someone pointing me in the right direction.</P><P>Thanks,</P><P>Tim</P> Fri, 13 Nov 2020 11:30:46 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Cisco-ASA-Session-log-to-remove-logging-for-a-session/m-p/529286#M89175 timoggy 2020-11-13T11:30:46Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Cisco-ASA-Session-log-to-remove-logging-for-a-session/m-p/529312#M89178 <P>Please clarify your requirements since "filter" and "keep apart" mean two different things in my world.&nbsp; What do you want to do with the ID 302013 events?</P><P>Have read the docs on filtering events?&nbsp; See&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad</A></P><P>Are you aware that sending syslog directly to Splunk is discouraged?&nbsp; Best Practice is to send syslog to a dedicated syslog server and then forward to Splunk.&nbsp; This helps to reduce data loss, plus syslog server often have built-in filtering features.&nbsp; See&nbsp;<A href="http://www.georgestarcher.com/splunk-success-with-syslog/" target="_blank">http://www.georgestarcher.com/splunk-success-with-syslog/</A></P> Fri, 13 Nov 2020 14:43:43 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Cisco-ASA-Session-log-to-remove-logging-for-a-session/m-p/529312#M89178 richgalloway 2020-11-13T14:43:43Z https://community.splunk.com/t5/Getting-Data-In/Filtering-Cisco-ASA-Session-log-to-remove-logging-for-a-session/m-p/529317#M89180 <P>Hi, I meant I want to keep ID<SPAN>302013. But I don't&nbsp;want to keep&nbsp; ID302013 if it contains a specific IP address.</SPAN></P><P><SPAN>I wanted to try and simplify the set up rather than have multiple&nbsp;servers, we don't&nbsp;have much resource here, but may have to look and see if there a syslog server that may make the filtering bit a bit easier. The way to filter in Splunk doesn't&nbsp;look the easiest to implement, which is why I&nbsp;did as much as I could from the source device.&nbsp;</SPAN></P> Fri, 13 Nov 2020 15:12:23 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-Cisco-ASA-Session-log-to-remove-logging-for-a-session/m-p/529317#M89180 timoggy 2020-11-13T15:12:23Z