I configured a Windows 2012 server to forward AD event logs to Splunk, everything is working well except for the volume of data being sent to Splunk.
In ~24hr the Windows event log being forwarded increased by ~4GB on disk. The Splunk admin reported that in the same time period the Splunk server received ~70GB from the Windows server.
Other than filtering out events, is there a way to reduce the volume of data received by Splunk?
... View more