Hello all! So I've got some Palo Altos forwarding their syslogs over to my Splunk instance. I want to receive alerts on High and Critical findings. That works like a charm with the following parameters:
sourcetype="pan:threat" severity=high
Pretty simple. However, I'm getting a lot of traffic that I know to be false positives, and it is completely using up my disk space and making me hit up against the license max. Is there a way to drop certain events and not alert or log on them as they come in?
Here's some internal traffic that is known-good.
https://imgur.com/ErIyf1i
That is a perfect example of something I would just like Splunk to see and discard immediately.
Thanks in advance
Discard specific events and keep the rest
http://docs.splunk.com/Documentation/Splunk/7.0.2/Forwarding/Routeandfilterdatad
Since I think that "pan: log" is set, it is necessary to change the setting file of "Palo Alto Networks Add-on for Splunk".