In Splunk when i ingest Security events log of AD from 70 domain controllers for just 4 whitelisted events and dropping static text by regex in config file and the count is 500gb avg. everyday.
In Azure sentinel when we ingest the same data i mean like ingest these 4 events by Azure sentinel connector from our domain controllers the amount/size of logs is just 10gb.
i am surprised and want to know what is the difference in terms of logs ingestion or processing that there is so huge difference in terms of size.