We have firewall logs coming in through syslog/Heavy Forwarder, I have a log event which contains below message taking up lot of space. How to ignore this while indexing?
Apr 3 09:59:00 22.214.171.124 :Apr 03 15:04:00 UTC: %ASA-session-1-106021: Deny UDP reverse path check from 126.96.36.199 to 188.8.131.52 on interface inside
excluding the events which contains "Deny UDP reverse path check from 184.108.40.206 to 220.127.116.11 on interface inside"
You can route events to the nullqueue. Here is the relevant doc: