I am getting killed on licensing with the amount of useless data from my IronPort WSA. At this point Splunk is being utilized by HR for individual IP reporting. What is the best place to block the data that I don't need. The junk in the < > is useless to them except the C_A110.
Any help would be greatly appreciated.
|œ ââL1289937535.401 32 10.135.73.188 TCP_MISS/304 229 GET http://photos-b.ak.fbcdn.net/photos-ak-snc1/v27562/209/148475945166653/app_2_148475945166653_1896.gif - DIRECT/photos-b.ak.fbcdn.net image/gif ALLOW_CUSTOMCAT_11-Aurora_Base_Policy-DefaultGroup-NONE-NONE-NONE-DefaultGroup <C_All0,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",57.25,0,-,"-","-"> -_h::1 _s::1 _st::1 _indextime::1290789832 timestartpos::0 timeendpos::14 _subsecond::.401 date_second::55 date_hour::19 date_minute::58 date_year::2010 date_month::november date_mday::16 date_wday::tuesday date_zone::0 punct::.__..._/___://-.../--////._-_/-..._/_------_<,-,\"-
... View more