i am using Splunk Enterprise Security but at the moment because I don't have enough logs (only from Suricata) I use only ES's "Incident Review" to track notable events and create investigations. This is quite handy while waiting for new logs to be input and use 100% of Enterprise Security app.
Since I only use 5% of its capabilites I would like to "kill" most of resource consuming functions from ES. Any ideas what shall I deactivate (eg. accelerated searches, apps like threat-Intel since I am offline etc)?