Splunk Enterprise Security

Windows Logs by default gets tagged to alert data model


Hi All,

I just found that each logs of windows AD get tagged to alert data model, When i accelerate the data model for 1 week itself its taking space in 400+GBs . Now we don't have a requirement each log of windows gets tagged to Alert data model.

What will be best way to untag each windows logs.

0 Karma

Path Finder

Hi Sumit
check the tags.conf in windows AD add-on and comment the line mentioning tag = alert

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!