https://community.splunk.com/t5/Getting-Data-In/Minimize-Size-of-Logs-being-processed/m-p/39015#M7225 <P>Ok. So I will assume you are monitoring entire directories at the moment and pulling all logs in.<BR /> There is something called a nullQueue in splunk, when an event arrives it goes through several stages of parsing and queues before eventually being indexed. Just before it arrives at the index you can filter off certain events into a "nullQueue". These do not get indexed and simply get written away.</P> <P>Have a read of;<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_send_to_queues" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A></P> <P>If you have any problems then just update your question with anything you've tried and the community can help troubleshoot it further.</P> Mon, 28 Sep 2020 10:14:36 GMT Drainy 2020-09-28T10:14:36Z https://community.splunk.com/t5/Getting-Data-In/Minimize-Size-of-Logs-being-processed/m-p/39014#M7224 <P>I have splunk free installed and want to log some remote server but the Security Log is hogging my 500MB daily allowance I am using remote agents, is there a way to only index aspects of the security Log in splunk? Obviously I don't at the moment care about succesful logins and log outs ets</P> Thu, 22 Dec 2011 09:35:23 GMT https://community.splunk.com/t5/Getting-Data-In/Minimize-Size-of-Logs-being-processed/m-p/39014#M7224 stevehoweuk 2011-12-22T09:35:23Z https://community.splunk.com/t5/Getting-Data-In/Minimize-Size-of-Logs-being-processed/m-p/39015#M7225 <P>Ok. So I will assume you are monitoring entire directories at the moment and pulling all logs in.<BR /> There is something called a nullQueue in splunk, when an event arrives it goes through several stages of parsing and queues before eventually being indexed. Just before it arrives at the index you can filter off certain events into a "nullQueue". These do not get indexed and simply get written away.</P> <P>Have a read of;<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_send_to_queues" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A></P> <P>If you have any problems then just update your question with anything you've tried and the community can help troubleshoot it further.</P> Mon, 28 Sep 2020 10:14:36 GMT https://community.splunk.com/t5/Getting-Data-In/Minimize-Size-of-Logs-being-processed/m-p/39015#M7225 Drainy 2020-09-28T10:14:36Z