Hello,
We have some PA devices in our network sending data to our master indexer over UDP:515. This data is being indexed fine, but one of our networks that's monitored is a guest network, and is sending a lot of extra information that we're looking to not index.
I've attempted to set a transform and property, but all that did was completely eliminate all new data, so I reverted that change.
Here's the inputs.conf: [udp//515] connection_host = ip sourcetype= pan_log no_appending_timestamp = true index = pan_logs
The transforms.conf and props.conf exist in the defaults directory and are the defaults that came with the app.
I know you can modify all of the dashboards to include an exception to not include the results in searches, but the requester is asking to modify the data before it's indexed.
Anyone have any ideas on how to do this?