I have turned on security auditing temporarily in Windows and because of this have exceeded my indexing limit.
I was told when purchasing Splunk that you can prevent certain data from being index with filters to prevent this from happening.
How do I create one of these filters?
At zeigfried, any chance you could spoonfeed me an example for for wineventlog:security coming in via a light forwarder from certain hosts? Also confused about which props / trans files I should be editing...
Is it also possible to not index certain data if you're not using a forwarder? Our setup is pretty simple in that we only have a single Splunk instance running without any forwarding. I've tried a number of times to set up Splunk to drop data based on the client IP by following the steps outlined but not having any luck!