Hi, thanks for your reply.
We only want to collect firewall events that match the following action types: "action=drop,reject,block".
Just configuring the input for firewall events will also collect "action=allow" and other action types, events that we don't need and that, by volume, kills our enterprise license in about 8-9 hours. Also, the fact that on every connection we are downloading everything, puts an extra load on the Splunk server, as we have to filter the events on indexing time.
As said previously, doing a quick props/transform job works, but it would be nice to have more configuration flexibility as we had on previous versions.
Regards 😉
... View more