Getting Data In

How to write props.conf / transforms.conf to filter out ICMP events?

leejones4
Explorer

We have a home grown application that pings Google DNS on a regular basis.  We are ingesting the data from our Meraki wireless devices and I would like to filter out the ICMP messages with the destination of 8.8.8.8.  Our events look like this:

7/8/22
8:14:51.427 AM
2022-07-08 07:14:51.427 xxx.xxx.xxx.xxx 1 Location_XXX flows src=xxx.xxx.0.1 dst=8.8.8.8 mac=70:D3:79:XX:XX:XX protocol=icmp type=8 pattern: allow icmp
host = xxx.xx.0.2source = /syslog0/syslog/meraki/xxx.xx.0.2/messages.log sourcetype = meraki

What would be the most efficient way to filter these messages to help reduce license usage? 

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @leejones4,

the question is:do you want to filter the full message or a part of it?

If the full message, see at https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data...

In other words:

if to reduce the event, you can see at https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

Ciao.

Remember than in both ways you cannot use more the discarded events or parte of events.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @leejones4,

the question is:do you want to filter the full message or a part of it?

If the full message, see at https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data...

In other words:

if to reduce the event, you can see at https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata

Ciao.

Remember than in both ways you cannot use more the discarded events or parte of events.

Ciao.

Giuseppe

leejones4
Explorer

Thank you for the quick response.  I am looking to drop any events that have the ICMP to 8.8.8.8 destination.  I appreciate the information links. 

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...