Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Log filtering before indexing

NeharikaVats
Loves-to-Learn
‎11-21-2023 06:14 AM

I want to filter the palo logs at the forwarder level by looking at the packet before indexing (licensing) based certain condition like... zone, firewall name (enterprise) etc

The logs come to both our UF & HF, what is the best way to achieve it.

Was looking into a few docs suggesting to apply ingest eval, is that feasible?

Can anyone please help me with this.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-21-2023 07:05 AM

Hi @NeharikaVats ,

you can filter your logs before indexing following the instructions at https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/Routeandfilterdatad#Filter_event_data_...

You have to apply these configurations in the first Heavy Forwarder you have in your infrastructure.

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-21-2023 06:45 AM

You need to direct the "unwanted" events to a nullqueue

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...