Hi there,
I am trying to filter out 'url' events from the Palo Alto Networks App and Add-on for Splunk because it is causing us to go over our license limit.
I have a transform that i put together in `./etc/apps/Splunk_TA_paloalto/default/props.conf` :
[pan:threat]
SHOULD_LINEMERGE = false
# My addition below to Filter out URL Logs:
TRANSFORMS-urlfilter = urlfilter
and `./etc/apps/Splunk_TA_paloalto/default/transforms.conf`
[urlfilter]
REGEX=^.*(THREAT,url,).*(informational).*$
DEST_KEY=queue
FORMAT=nullQueue
After making these changes, I restarted splunk.
Where do i see debugging information as to why this doesn't work?
Also, if you can see why it isn't working can you please share? :)
Lastly, is there an easier way to do this: the field that i am searching for is already extracted with this TA:
field: `log_subtype`
value i am trying to avoid indexing: `'url'`
↧