Hi @smallwonder , when you say limit the amount of data, are you meaning: limiting the files to read or filter events? if limiting the files to read, you can add whitelist and blacklist options to ...
See more...
Hi @smallwonder , when you say limit the amount of data, are you meaning: limiting the files to read or filter events? if limiting the files to read, you can add whitelist and blacklist options to your inputs.conf. If instead you want to filter sone data, you have to identify one or more regexes to filter your logs (positive or negative filtering), and then apply the method described at https://docs.splunk.com/Documentation/Splunk/9.3.2/Forwarding/Routeandfilterdatad Remember that these filters must be applied in the first full Splunk instance they are passing through, in other words on the first Heavy Forwarder present or on Indexers, not on Universal Forwarders. Ciao. giuseppe