Is there a way to configure forwarders running on AD/DNS servers not to index REPLICATED data.
For example, when an entry is removed from DNS, around 140 events are logged in Splunk from our several DNS servers and most of the data is duplicate.
if you can identify which data is duplicate, then the following transform will prevent the data from being indexed:
props.conf
[sourcetype]
TRANSFORMS-drop = null_queue_filter
transforms.conf
[null_queue_filter]
REGEX = <<>>
DEST_KEY = queue
FORMAT = nullQueue