Hello,
I have that limit of license indexation per day. So i wanted to limit data to be indexed from a specific Equipment.
I received a great amount of logs from a source equipement using syslog (i can't change which types of logs to be sent to splunk). So, to limit the amount of data being indexed. i filtered data in the indexation phase using splunk. I added a regex in splunk so that splunk only indexes the wanted types of logs and ignore other received sylog logs from that specific equipment. I did this using TRANSFORMS-set in props.conf and using the regex expression in transforms.conf file.
As a result, i had the following errors in splunk health that i couldn't fix:
Ingestion Latency
TailReader-0
Whenever i remove the regex expression the problem is solved => meaning that the regex is the only source of this problem/error.
Thank you in advance for help.