Getting Data In

Log filtering before indexing

NeharikaVats
Loves-to-Learn

I want to filter the palo logs at the forwarder level by looking at the packet before indexing (licensing) based certain condition like... zone, firewall name (enterprise) etc

The logs come to both our UF & HF, what is the best way to achieve it.

Was looking into a few docs suggesting to apply ingest eval, is that feasible?

Can anyone please help me with this.

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @NeharikaVats ,

you can filter your logs before indexing following the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Filter_event_data_...

You have to apply these configurations in the first Heavy Forwarder you have in your infrastructure.

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You need to direct the "unwanted" events to a nullqueue

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...