Hi,
Someone can help me in filtering logs from Checkpoint before they are indexing?
I tried follow that link: https://answers.splunk.com/answers/378972/how-to-filter-out-certain-events-from-checkpoint-d.html
but I think my REGEX doesn't works.
I need to ignore all events that the "message_info" field is equal to "Address spoofing", here is my props.conf and transforms.conf
props.conf:
[checkpoint:syslog]
TRANSFORMS-null= setnullCheckpoint
transforms.conf:
[setnullCheckpoint]
REGEX = message_info=Address spoofing
DEST_KEY = queue
FORMAT = nullQueue
Thank you!
↧