Whenever I check the files that have been forwarded to my Splunk index, I see a bunch of files having their
source = WinEventsLog:Application. I did not explicitly put a monitor stanza for such files and I wonder why my forwarder is always sending them to my Splunk instance. When I look at the individual events of the source, they are of the form:
... indicates that there are more field-value pairs in the events.
How do I exclude or prevent my forwarder from sending files from the
WinEventsLog:Application source? It is clogging my index with data I don't need. Any help would be appreciated. Thanks!