Getting Data In

My Windows Event Log size increased dramatically after being forwarded to Splunk. Is there a way to reduce the volume of data received by Splunk?

New Member

I configured a Windows 2012 server to forward AD event logs to Splunk, everything is working well except for the volume of data being sent to Splunk.

In ~24hr the Windows event log being forwarded increased by ~4GB on disk. The Splunk admin reported that in the same time period the Splunk server received ~70GB from the Windows server.

Other than filtering out events, is there a way to reduce the volume of data received by Splunk?


0 Karma

Path Finder

This Splunk blog post has a trick that's fully supported and will reduce the size of your Windows events: The post explains how to send your Windows logs in as XML, which is parsed perfectly by the Windows TA, but the events are a lot smaller because they have less duplicate data (in fact, the XML versions of the events have more useful information stuffed into fewer characters). According to the blog, it reduces event size by about 70%, but in practice it looked like a smaller reduction in my environment.

0 Karma

New Member

Interesting. However, the following links seems report some different results.

I will give a try tommorow.

0 Karma


Is that a new server? Maybe you can add ignoreOlderThan = 24h on inputs.conf to make sure this data is really from today.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...