We have a home grown application that pings Google DNS on a regular basis. We are ingesting the data from our Meraki wireless devices and I would like to filter out the ICMP messages with the destination of 8.8.8.8. Our events look like this:
7/8/22
8:14:51.427 AM
2022-07-08 07:14:51.427 xxx.xxx.xxx.xxx 1 Location_XXX flows src=xxx.xxx.0.1 dst=8.8.8.8 mac=70:D3:79:XX:XX:XX protocol=icmp type=8 pattern: allow icmp
host = xxx.xx.0.2source = /syslog0/syslog/meraki/xxx.xx.0.2/messages.log sourcetype = meraki
What would be the most efficient way to filter these messages to help reduce license usage?
Hi @leejones4,
the question is:do you want to filter the full message or a part of it?
If the full message, see at https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data...
In other words:
if to reduce the event, you can see at https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata
Ciao.
Remember than in both ways you cannot use more the discarded events or parte of events.
Ciao.
Giuseppe
Hi @leejones4,
the question is:do you want to filter the full message or a part of it?
If the full message, see at https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data...
In other words:
if to reduce the event, you can see at https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata
Ciao.
Remember than in both ways you cannot use more the discarded events or parte of events.
Ciao.
Giuseppe
Thank you for the quick response. I am looking to drop any events that have the ICMP to 8.8.8.8 destination. I appreciate the information links.