All Apps and Add-ons
Highlighted

How to ignore a log event from indexing?

Builder

Hi

We have firewall logs coming in through syslog/Heavy Forwarder, I have a log event which contains below message taking up lot of space. How to ignore this while indexing?

Apr 3 09:59:00 123.22.132.4 :Apr 03 15:04:00 UTC: %ASA-session-1-106021: Deny UDP reverse path check from 122.23.24.25 to 11.12.13.14 on interface inside

excluding the events which contains "Deny UDP reverse path check from 122.23.24.25 to 11.12.13.14 on interface inside"

0 Karma
Highlighted

Re: How to ignore a log event from indexing?

Splunk Employee
Splunk Employee

You can route events to the nullqueue. Here is the relevant doc:

http://docs.splunk.com/Documentation/Splunk/6.5.3/Forwarding/Routeandfilterdatad#Filter_event_data_a...

Jacob
Sr. Technical Support Engineer