Destinations

• 1: Amazon
• 1.1: Amazon S3
• 2: Apache Kafka
• 3: Clickhouse
• 4: Crowdstrike
• 5: Elastic
• 5.1: Elastic Cloud
• 5.2: Elasticsearch
• 6: Generic
• 6.1: /dev/null
• 7: Google
• 7.1: Google Cloud Pub/Sub
• 8: Grafana
• 8.1: Grafana Loki
• 9: Microsoft
• 9.1: Azure Monitor
• 9.2: Microsoft Sentinel
• 10: OpenObserve
• 11: Splunk
• 11.1: Splunk Cloud
• 11.2: Splunk Enterprise

1 - Amazon

1.1 - Amazon S3

To add an Amazon S3 destination to Axoflow, complete the following steps.

Prerequisites

• An existing S3 bucket configured for programmatic access, and the related ACCESS_KEY and SECRET_KEY of a user that can access it. The user needs to have the following permissions:

  • kms:Decrypt
  • kms:Encrypt
  • kms:GenerateDataKey
  • s3:ListBucket
  • s3:ListBucketMultipartUploads
  • s3:AbortMultipartUpload
  • s3:ListMultipartUploadParts
  • s3:PutObject

• To configure Axoflow, you’ll need the bucket name, region (or URL), access key, and the secret key of the bucket.

Steps

1. Create a new destination.

   1. Open the Axoflow Console.
   2. Select Topology.
   3. Select + > Destination.

2. Configure the destination.

   1. Select Amazon S3.

   2. Enter a name for the destination.

      

   3. Enter the name of the bucket you want to use.

   4. Enter the region code of the bucket into the Region field (for example, us-east-1.), or select the Use custom endpoint URL option, and enter the URL of the endpoint into the URL field.

   5. Enter the Access key and the Secret key for the account you want to use.

   6. Enter the Object key (or key name), which uniquely identifies the object in an Amazon S3 bucket, for example: my-logs/${HOSTNAME}/.

      You can use AxoSyslog macros in this field.

   1. Select the Object key timestamp format you want to use, or select Use custom object key timestamp and enter a custom template. For details on the available date-related macros, see the AxoSyslog documentation.
   2. Set the maximal size of the S3 object. If an object reaches this size, Axoflow appends an index ("-1", “-2”, …) to the end of the object key and starts a new object after rotation.
   3. Select Create.
3. Create a flow to connect the new destination to an AxoRouter instance.

   1. Select Flows.

   2. Select Create New Flow.

   3. Enter a name for the flow, for example, my-test-flow.

      

   4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.

   5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.

      By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.

      

   6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:

      1. Add a Reduce step to automatically remove redundant and empty fields from your data.
      2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
      3. Save the processing steps.

      

   7. Select Create.

   8. The new flow appears in the Flows list.

      

2 - Apache Kafka

Coming soon

If you’d like, we can send you an email when we update this page.

3 - Clickhouse

Coming soon

If you’d like, we can send you an email when we update this page.

4 - Crowdstrike

Coming soon

If you’d like, we can send you an email when we update this page.

5 - Elastic

5.1 - Elastic Cloud

To add an Elasticsearch destination to Axoflow, complete the following steps.

Prerequisites

• An Elastic Cloud account for Axoflow, or
• a self-hosted Elasticsearch deployment.
• To configure Axoflow, you’ll need the username, password, and the Elasticsearch index where you want to send your data.

Steps

1. Create a new destination.

   1. Open the Axoflow Console.
   2. Select Topology.
   3. Select + > Destination.

2. Configure the destination.

   1. Select Elasticsearch.

   2. Select which type of configuration you want to use:

      • Simple: Send all data into a single index.
      • Dynamic: Send data to an index based on the content or metadata of the incoming messages (or to a default index).
      • Advanced: Allows you to specify a custom URL endpoint.

   3. Enter a name for the destination.

      

   4. Configure the endpoint of the destination.

      • Advanced: Enter your Elasticsearch URL into the URL field, for example, http://my-elastic-server:9200/_bulk
      • Simple and Dynamic:
        1. Select the HTTPS or HTTP protocol to use to access your destination.
        2. Enter the Hostname and Port of the destination.

   5. Specify the Elasticsearch index to send the data to.

      • Simple: Enter the expression that specifies the Elasticsearch index to use into the Index field, for example: test-${YEAR}${MONTH}${DAY}. All data will be sent into this index.
      • Dynamic and Advanced: Enter the expression that specifies the default index. The data will be sent into this index if no other index is set during the processing of the message (for example, by the processing steps of the Flow).

      You can use AxoSyslog macros in this field.

   6. Enter the username and password for the account you want to use.

   7. (Optional)

      By default, Axoflow rejects connections to the destination server if the certificate of the server is invalid (for example, it’s expired, signed by an unknown CA, or its CN and the name of the server is mismatched).

      Warning When validating a certificate, the entire certificate chain must be valid, including the CA certificate. If any certificate of the chain is invalid, Axoflow will reject the connection.

      If you want to accept invalid certificates (or no certificate) from the destination servers, disable the Verify server certificate option.

   8. (Optional) Set other options as needed for your environments.

      • Timeout: The number of seconds to wait for a log-forwarding request to complete, and attempt to reconnect the server if exceeded. The default (0) is unlimited. For more details, see the AxoSyslog documentation.
      • Batch Timeout: Maximal time in milliseconds to wait for a batch to be filled before sending it. The default value (-1) means that the batch should be full before sending, which may result in a long wait if the incoming traffic is low. For more details, see the AxoSyslog documentation.
      • Workers: Used for scaling the destination in case of high message load. Specifies the number of worker threads AxoRouter uses for sending messages to the destination. The default is 1. If high message throughput is not a concern, leave it on 1. For maximum performance, increase it up to the number of CPU cores available on AxoRouter. For more details, see the AxoSyslog documentation.

   9. Select Create.

3. Create a flow to connect the new destination to an AxoRouter instance.

   1. Select Flows.

   2. Select Create New Flow.

   3. Enter a name for the flow, for example, my-test-flow.

      

   4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.

   5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.

      By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.

      

   6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:

      1. Add a Reduce step to automatically remove redundant and empty fields from your data.
      2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
      3. Save the processing steps.

      

   7. Select Create.

   8. The new flow appears in the Flows list.

      

5.2 - Elasticsearch

Coming soon

If you’d like, we can send you an email when we update this page.

6 - Generic

6.1 - /dev/null

This is a null destination that discards (drops) every data it receives, but reports that it has successfully received the data. This is useful sometimes for testing and performance measurements, for example, to find out if a real destination is the bottleneck, or another element in the upstream pipeline.

Steps

1. Create a new destination.

   1. Open the Axoflow Console.
   2. Select Topology.
   3. Select + > Destination.

2. Configure the destination.

   1. Select /dev/null.

   2. Enter a name for the destination.

      

   3. (Optional): Add custom labels to the destination.

   4. Select Create.

3. Create a flow to connect the new destination to an AxoRouter instance.

   1. Select Flows.

   2. Select Create New Flow.

   3. Enter a name for the flow, for example, my-test-flow.

      

   4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.

   5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.

      By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.

      

   6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:

      1. Add a Reduce step to automatically remove redundant and empty fields from your data.
      2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
      3. Save the processing steps.

      

   7. Select Create.

   8. The new flow appears in the Flows list.

      

7 - Google

7.1 - Google Cloud Pub/Sub

To add a Google Cloud Pub/Sub destination to Axoflow, complete the following steps.

Prerequisites

• A Google Pub/Sub subscription.
• An IAM service account that Axoflow uses for authentication.
• A Google Cloud project that has the Pub/Sub API enabled.

For details, see the Google Pub/Sub tutorial.

Steps

1. Create a new destination.

   1. Open the Axoflow Console.
   2. Select Topology.
   3. Select + > Destination.

2. Configure the destination.

   1. Select Pub/Sub.

   2. Select which type of configuration you want to use:

      • Simple: Send all data into a project and topic.
      • Dynamic: Send data to a project and topic based on the content or metadata of the incoming messages (or to a default project/topic).

   3. Enter a name for the destination.

      

   4. Specify the project and topic to send the data to.

      • Simple: Enter the ID of the GCP Project and the Topic. All data will be sent to this topic.
      • Dynamic: Enter the expression that specifies the default Project and Topic. The data will be sent into here unless it is set during the processing of the message (for example, by the processing steps of the Flow).

      You can use AxoSyslog macros in this field.

   5. Configure the authentication method to access the GCP project.

      • Automatic (ADC): Use the service account attached to the cloud resource (VM) that hosts AxoRouter.

      • Service Account File: Specify the path where a service account key file is located (for example, /etc/axorouter/user-config/). You must manually copy that file to its place, currently you can’t distribute it from Axoflow.

      • None: Disable authentication completely. Only available when the More options > Service Endpoint option is set.

        CAUTION:

        Do not disable authentication in production.

   6. (Optional) Set other options as needed for your environments.

      • Service Endpoint: Use a custom API endpoint. Leave it empty to use the default: https://pubsub.googleapis.com
      • Timeout: The number of seconds to wait for a log-forwarding request to complete, and attempt to reconnect the server if exceeded. The default (0) is unlimited. For more details, see the AxoSyslog documentation.
      • Batch Timeout: Maximal time in milliseconds to wait for a batch to be filled before sending it. The default value (-1) means that the batch should be full before sending, which may result in a long wait if the incoming traffic is low. For more details, see the AxoSyslog documentation.
      • Workers: Used for scaling the destination in case of high message load. Specifies the number of worker threads AxoRouter uses for sending messages to the destination. The default is 1. If high message throughput is not a concern, leave it on 1. For maximum performance, increase it up to the number of CPU cores available on AxoRouter. For more details, see the AxoSyslog documentation.

   7. Select Create.

3. Create a flow to connect the new destination to an AxoRouter instance.

   1. Select Flows.

   2. Select Create New Flow.

   3. Enter a name for the flow, for example, my-test-flow.

      

   4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.

   5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.

      By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.

      

   6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:

      1. Add a Reduce step to automatically remove redundant and empty fields from your data.
      2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
      3. Save the processing steps.

      

   7. Select Create.

   8. The new flow appears in the Flows list.

      

Pub/Sub attributes

You can embed custom attributes as metadata in Pub/Sub messages in the processing steps of the Flow that’s sending data to the Pub/Sub destination.

To do that:

1. Add a FilterX processing step to the Flow.

2. Edit the Statements field of the processing step:

   1. Add the meta.pubsub.attributes = json(); line to add an empty JSON object to the messages.

   2. Set your custom attributes under the meta.pubsub.attributes key. For example, if you want to include the timestamp as a custom attribute as well, you can use:

      meta.pubsub.attributes = {"timestamp": $S_ISODATE};
      

8 - Grafana

8.1 - Grafana Loki

Coming soon

If you’d like, we can send you an email when we update this page.

9 - Microsoft

9.1 - Azure Monitor

Sending data to Azure Monitor is practically identical to using the Sentinel destination. Follow the procedure described in Microsoft Sentinel.

9.2 - Microsoft Sentinel

To add a Microsoft Sentinel or Azure Monitor destination to Axoflow, complete the following steps. Axoflow Console can configure your AxoRouters to send data to the built-in syslog table of Azure Monitor.

Prerequisites

• An Azure subscription.
• An Enterprise application defined in Microsoft Entra ID.. You’ll need the Tenant ID, Application ID, and Application Secret of the application to configure the Axoflow destination.
• A Data Collection Endpoint (DCE) and a Data Collection Rule (DCR). We can provide you with ARM templates for both the DCE and the DCR, contact us for details. For information on how to install these, see the Azure Monitor documentation.
• A Log Analytics Workspace in Azure.
• A Microsoft Sentinel workspace (optional).

Steps

1. Create a new destination.

   1. Open the Axoflow Console.
   2. Select Topology.
   3. Select + > Destination.

2. Configure the destination.

   1. Select Sentinel or Azure Monitor.

   2. Enter a name for the destination.

      

   3. Configure the credentials needed for authentication.

      

      • Tenant ID: Directory (tenant) ID of the environment where you’re sending the data. (Practically everything belongs to the tenant ID: the Entra ID application, the Log analytics workspace, Sentinel, the DCE and the DCR, and so on.)
      • Application ID: Application (client) ID of the Microsoft Entra ID application.
      • Application secret: The Client secret of the Microsoft Entra ID application.
      • Scope: The scope for the authentication token. Usually you can leave empty to use the default value (https://monitor.azure.com//.default).

   4. Specify the details of the table to send the data to.

      • DCE Logs Ingestion URI: The URI of your Data Collection Endpoint (DCE).
      • DCR Immutable ID: The immutable ID property of the Azure Monitor Data Collection Rule (DCR) where AxoRouter sends the data.
      • Stream name: The name of the stream where AxoRouter sends the data.

   5. (Optional) Set other options as needed for your environments.

      • Timeout: The number of seconds to wait for a log-forwarding request to complete, and attempt to reconnect the server if exceeded. The default (0) is unlimited. For more details, see the AxoSyslog documentation.
      • Batch Timeout: Maximal time in milliseconds to wait for a batch to be filled before sending it. The default value (-1) means that the batch should be full before sending, which may result in a long wait if the incoming traffic is low. For more details, see the AxoSyslog documentation.
      • Workers: Used for scaling the destination in case of high message load. Specifies the number of worker threads AxoRouter uses for sending messages to the destination. The default is 1. If high message throughput is not a concern, leave it on 1. For maximum performance, increase it up to the number of CPU cores available on AxoRouter. For more details, see the AxoSyslog documentation.

   6. Select Create.

3. Create a flow to connect the new destination to an AxoRouter instance.

   1. Select Flows.

   2. Select Create New Flow.

   3. Enter a name for the flow, for example, my-test-flow.

      

   4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.

   5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.

      By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.

      

   6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:

      1. Add a Reduce step to automatically remove redundant and empty fields from your data.
      2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
      3. Save the processing steps.

      

   7. Select Create.

   8. The new flow appears in the Flows list.

      

10 - OpenObserve

To add an OpenObserve destination to Axoflow, complete the following steps.

Prerequisites

• An OpenObserve account for Axoflow, or
• a self-hosted OpenObserve deployment.
• To configure Axoflow, you’ll need the username, password, the name of your organization, and the name of the OpenObserve stream where you want to send your data.

Steps

1. Create a new destination.

   1. Open the Axoflow Console.
   2. Select Topology.
   3. Select + > Destination.

2. Configure the destination.

   1. Select OpenObserve.

   2. Select which type of configuration you want to use:

      • Simple: Send all data into a single stream of an organization.
      • Dynamic: Send data to an organization and stream based on the content or metadata of the incoming messages (or to the default stream of the default organization).
      • Advanced: Allows you to specify a custom URL endpoint.

   3. Enter a name for the destination.

      

   4. Configure the endpoint of the destination.

      • Advanced: Enter your OpenObserve URL into the URL field, for example, https://example.com/api/my-org/my-stream/_json
      • Simple and Dynamic:
        1. Select the HTTPS or HTTP protocol to use to access your destination.
        2. Enter the Hostname and Port of the destination.

   5. Specify the OpenObserve stream to send the data to.

      • Simple: Enter name of the Organization and the Stream where you want to send the data. All data will be sent into this stream.
      • Dynamic: Enter the expression that specifies the default Default Organization and teh Default Stream. The data will be sent into this stream if no other organization and stream is set during the processing of the message (for example, by the processing steps of the Flow).

      You can use AxoSyslog macros in this field.

   6. Enter the username and password for the account you want to use.

   7. (Optional)

      By default, Axoflow rejects connections to the destination server if the certificate of the server is invalid (for example, it’s expired, signed by an unknown CA, or its CN and the name of the server is mismatched).

      Warning When validating a certificate, the entire certificate chain must be valid, including the CA certificate. If any certificate of the chain is invalid, Axoflow will reject the connection.

      If you want to accept invalid certificates (or no certificate) from the destination servers, disable the Verify server certificate option.

   8. (Optional) Set other options as needed for your environments.

      • Timeout: The number of seconds to wait for a log-forwarding request to complete, and attempt to reconnect the server if exceeded. The default (0) is unlimited. For more details, see the AxoSyslog documentation.
      • Batch Timeout: Maximal time in milliseconds to wait for a batch to be filled before sending it. The default value (-1) means that the batch should be full before sending, which may result in a long wait if the incoming traffic is low. For more details, see the AxoSyslog documentation.
      • Workers: Used for scaling the destination in case of high message load. Specifies the number of worker threads AxoRouter uses for sending messages to the destination. The default is 1. If high message throughput is not a concern, leave it on 1. For maximum performance, increase it up to the number of CPU cores available on AxoRouter. For more details, see the AxoSyslog documentation.
3. Create a flow to connect the new destination to an AxoRouter instance.

   1. Select Flows.

   2. Select Create New Flow.

   3. Enter a name for the flow, for example, my-test-flow.

      

   4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.

   5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.

      By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.

      

   6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:

      1. Add a Reduce step to automatically remove redundant and empty fields from your data.
      2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
      3. Save the processing steps.

      

   7. Select Create.

   8. The new flow appears in the Flows list.

      

11 - Splunk

11.1 - Splunk Cloud

To add a Splunk destination to Axoflow, complete the following steps.

Prerequisites

1. Enable the HTTP Event Collector (HEC) on your Splunk deployment if needed. On Splunk Cloud Platform deployments, HEC is enabled by default.

2. Create a token for Axoflow to use in the destination. When creating the token, use the syslog source type.

   For details, see Set up and use HTTP Event Collector in Splunk Web.

3. If you’re using AxoRouter, create the indexes where Axoflow sends the log data. Which index is needed depends on the sources you have, but create at least the following event indices: axoflow, infraops, netops, netfw, osnix (for unclassified messages). Check your sources in the Sources section for a detailed lists on which indices their data is sent.

Steps

1. Create a new destination.

   1. Open the Axoflow Console.
   2. Select Topology.
   3. Select + > Destination.

2. Configure the destination.

   1. Select Splunk.

   2. Select which type of configuration you want to use:

      • Simple: Send all data into a single index, with fixed source and source type settings.
      • Dynamic: Set index, source, and source type based on the content or metadata of the incoming messages.
      • Advanced: Allows you to specify a custom URL endpoint.

   3. Enter a name for the destination.

      

   4. Configure the endpoint of the destination.

      • Advanced: Enter your Splunk URL into the URL field, for example, https://<your-splunk-tenant-id>.splunkcloud.com:8088 for Splunk Cloud Platform free trials, or https://<your-splunk-tenant-id>.splunkcloud.com for Splunk Cloud Platform instances.
      • Simple and Dynamic:
        1. Select the HTTPS or HTTP protocol to use to access your destination.
        2. Enter the Hostname and Port of the destination.

   5. Specify the Splunk index to send the data to.

      • Simple: Enter the expression that specifies the Splunk index to use into the Index field, for example: netops. All data will be sent into this index.
      • Dynamic and Advanced:
        1. Enter the name of the Default Index. The data will be sent into this index if no other index is set during the processing of the message (based on automatic classification, or by the processing steps of the Flow). Make sure that the index exists in Splunk.
        2. Enter the Default Source and Default Source Type. These will be assigned to the messages that have no source or source type set during the processing of the message (based on automatic classification, or by the processing steps of the Flow).

   6. Enter the token you’ve created into the Token field.

   7. Disable the Verify server certificate option unless your deployment has a valid, non-self-signed certificate. Free Splunk Cloud accounts have self-signed certificates.

   8. (Optional) Set other options as needed for your environments.

      • Timeout: The number of seconds to wait for a log-forwarding request to complete, and attempt to reconnect the server if exceeded. The default (0) is unlimited. For more details, see the AxoSyslog documentation.
      • Batch Timeout: Maximal time in milliseconds to wait for a batch to be filled before sending it. The default value (-1) means that the batch should be full before sending, which may result in a long wait if the incoming traffic is low. For more details, see the AxoSyslog documentation.
      • Workers: Used for scaling the destination in case of high message load. Specifies the number of worker threads AxoRouter uses for sending messages to the destination. The default is 1. If high message throughput is not a concern, leave it on 1. For maximum performance, increase it up to the number of CPU cores available on AxoRouter. For more details, see the AxoSyslog documentation.

   9. Select Create.

3. Create a flow to connect the new destination to an AxoRouter instance.

   1. Select Flows.

   2. Select Create New Flow.

   3. Enter a name for the flow, for example, my-test-flow.

      

   4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.

   5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.

      By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.

      

   6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:

      1. Add a Reduce step to automatically remove redundant and empty fields from your data.
      2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
      3. Save the processing steps.

      

   7. Select Create.

   8. The new flow appears in the Flows list.

      

11.2 - Splunk Enterprise

Coming soon

If you’d like, we can send you an email when we update this page.