I'm gathering the _internal index from several hundred remote hosts, but the only events I want to collect centrally are warnings and errors. Is it possible to filter what events get forwarded to the central indexer?
The _internal index is not really "yours" to mess with and I highly advise against even trying. Doing so will surely cause some apps not to work correctly (e.g. SoS, etc.), might cause Splunk support to be hampered in assisting you, and could even (conceivably) break your support agreement. It does not impact your license and shouldn't be too much disk space so why not just leave well enough alone?