Hello,
I read https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding
and think about:
"Index one input locally and then forward all inputs"
How does this affect my licensed volume. Basically I'm processing the same date twice.
Does I have to pay this volume twice? This may affect my planning ...
Cheers
Robert
... View more
Hello,
I'm quite new to Splunk and am trying the following:
In Windows Server Logs, I'm trying to evaluate if there are
EventCode=4634 AND EventCode=4624 Events for both the same Logon_ID within a time window of 10 seconds.
(this may indicate a logon attempt where authentication worked, but authorization did not ...)
How can this be done?
Thanks
RB
... View more