Getting Data In

Log filtering before indexing

NeharikaVats
Loves-to-Learn

I want to filter the palo logs at the forwarder level by looking at the packet before indexing (licensing) based certain condition like... zone, firewall name (enterprise) etc

The logs come to both our UF & HF, what is the best way to achieve it.

Was looking into a few docs suggesting to apply ingest eval, is that feasible?

Can anyone please help me with this.

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @NeharikaVats ,

you can filter your logs before indexing following the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Filter_event_data_...

You have to apply these configurations in the first Heavy Forwarder you have in your infrastructure.

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You need to direct the "unwanted" events to a nullqueue

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...