We pull in all the security event logs using WMI. However, it's pulling in WAY too much data. Is there a way to limit what gets pulled into Splunk? For example, to only pull in certain Event IDs?
Based on a regex you could send unwanted data to the the nullqueue. See link below. That might help reduce the amount of data that you are searching on.
View solution in original post