As the title suggests I was wondering if I can filter the logs that go into Splunk to avoid the daily volume limit. Our catalina logs show a lot of junk, and we only want the good stuff. Letting it index all of it would easily go over the limit.
I looked in the documentations, and it says that I can configure routing and filtering ONLY on a heavy forwarder, not a universal one.
If this is the case, then I should point all my uniForwarders to the heavy forwarder to do the filtering right?
Does sending traffic to nullQueue prevent the daily volume from going up? or does it still take it?
@prakash007 is correct in his comment. I would caution you when filtering out data however. Sometimes we don't know what we don't know, so be careful to be very specific on your regex when filtering. I have seen several customers who have inadvertently filtered out things that they didn't intend to.