How To optimize eps aggregation and filtration in ...

Getting Data In

Hello guys,

i'm working with a costumer which wants to replace arcsight with splunk.

we're moving some systems from the arcsight and while we added "Fireglass" (by symantec) to monitoring we saw extreme growth in the license which almost caused to violations.

while digging in at the logs we saw that some sites, like youtube takes something like 1000 events for time frame of 1 minute. looking deeper i could see that all the video\audio traffic was sent as well. the customer told me that in Arcsight there's an option for "aggregation and filtration", which he can take the number of logs which are the same and merge them as one event, and ingest the whole traffic.

here's an explanation about the operation from the Arcsight side:

ArcSight. Optimizing EPS (Aggregation and Filtration) - SOC Prime

my question: can i make something like this with splunk? with a license of 100G the fireglass takes like 60G.

thanks in advance

Etai 🙂

Get Updates on the Splunk Community!

How To optimize eps aggregation and filtration in splunk

JSON

monitor

whitelist

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation