Hi
i am using palo-alto firewall. i am getting firewall logs to syslog server and monitoring those logs and forwarding to indexer and to search head.
I want to exclude events from particular src_ip from indexing as the src is generating high volume of logs and consuming my license.
How to exclude these events. Please let me know.
Thanks
Hi @umeshm,
when I speak of location I don't mean on file system, that isn't relevant, but the server where i located: they must be on Indexers or, when present on Heavy Forwarders (as I suppose you have).
Is it clear for you how to configure your filter?
Ciao.
Giuseppe
Hi @umesh,
to filter and discard events you have to find a regex and apply the configurations described at https://docs.splunk.com/Documentation/Splunk/9.0.1/Forwarding/Routeandfilterdatad#Filter_event_data_...
remember that these configuration must be applied on Indexers or, when present, on heavy Forwarders.
Ciao.
Giuseppe
Hi @umeshm,
when I speak of location I don't mean on file system, that isn't relevant, but the server where i located: they must be on Indexers or, when present on Heavy Forwarders (as I suppose you have).
Is it clear for you how to configure your filter?
Ciao.
Giuseppe