Zscaler log filtering

Iana_R · ‎09-10-2024

Hello guys,

I am quite new on the topic so I really need tyour help ^_^.
I am ingesting Zscaler logs in a Splunk Cloud instance using a HeavyForwarder and TCP Inputs. As for AUTH logs the volume is huge, we want to filter logs by limiting logs on following conditions: if one user is logging in one application today, all following logs for this user logging in that application in this specific day (month/date/year) would be discarded and we would start the ingesting next day using the same conditions. I hope this is pretty clear.

I know that this can be done in prop.conf and transform.conf but I am not sure on how I should build the string.

Thank you in advance.

PickleRick · ‎09-10-2024

You cannot do this. At least not using Splunk's built-in functionality. Splunk handles each event separately and doesn't keep "state" so you cannot conditionally influence ingestion process based on other events' values/properties.

You'd need to use some custom script pre-processing the events before ingesting them to Splunk.

Zscaler log filtering

props.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation

Zscaler log filtering

props.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!