We are trying to filter out events from a Syslog server that is ingesting data for a number of sources but the one we are trying to filter is from our Meraki devices. Each Meraki is considered a source and the sourcetype is meraki. This is a sample of the events coming into Splunk:
2022-07-08 07:14:51.427 xxx.xxx.xxx.xxx 1 Location_XXX flows src=xxx.xxx.0.1 dst=8.8.8.8 mac=70:D3:79:XX:XX:XX protocol=icmp type=8 pattern: allow icmp host = xxx.xx.0.2source = /syslog0/syslog/meraki/xxx.xx.0.2/messages.log sourcetype = meraki
There are more than 100 sources all using the format: /syslog0/syslog/meraki/<IP Address>/messages.log
How can I put that source in props.conf without listing each one separately?
... View more