Time to learn about the "nullQueue" capability. (google Splunk nullQueue.) You will write a regex to match the DHCP messages, and send them to the nullQueue, so that they do not get indexed. But do you really want to drop those DHCP messages? I use them on my home router to determine what MAC addresses are on my network (usual ones and rare ones). I correlate them with a mac-to-vendor lookup table to know more about what kind of devices are on the network. And since my kids nanny's iPhone attaches to my network at the same time daily, I can use Splunk to prove that she was on time. Or not. 🙂
... View more