Thanks rsennett for your suggested solution. It's definitely the quick way to go and will give value through learning.

I've heard this once or twice before and I see this in a lot of customer installs, so I will consider adding a toggle in the overview page to include/exclude WLC events. To do this I need to be able to identify the WLC, something we don't do currently as the IOS and WLC log format is quite identical. One possibility would be an EVAL to change the product field to WLC if the two fields filename and filename_line are present. I will look into this shortly 🙂

Regards,
Mikael, author of the Networks app

Thanks for you information. What you have said makes sense. I will proceed in that direction.

Something to consider... While your proposal suggests that you are quite new to Splunk, the IOS app is very clearly written, in a quite uncomplicated way. A very good way to advance your Splunk skills would be to take a look at what's driving the dashboard in question. (you haven't mentioned which one). Click on Edit>Edit Panels. Take a look at the search or pivot for the panels where you would like to see the WLC separated out... if it is a search, run the search by itself in the search view... if it is a pivot, run it in pivot. Take a look at the fields available to you, and consider what might identify one type of event as opposed to another. Once you identify that, you could, just filter the unwanted data out of the search. The simple, yet inefficient way would be to add NOT "whatever" to the left of the first pipe. If the data can be identified by the presence of a particular field you could more efficiently exclude it or include the ones you want deliberately by naming the field. Perhaps clone the dashboard first, and mess with a copy to get it the way you want it...