Eliminate Check Point logs before indexing them into Splunk
InformationalHere is an example of how to ignore all events that the "message_info" field is equal to "Address spoofing":
props.conf:
[checkpoint:syslog]
TRANSFORMS-null=setnullCheckpoint
transforms.conf
[setnullCheckpoint]
REGEX=message_info="Address spoofing"
DEST_KEY=queue
FORMAT=nullQueue