To anyone that has used Splunk to monitor DMARC: Building out dashboards and reports for DMARC visibility, I've noticed examples of DMARC record entries can contain a different address for aggregate and forensic reports. Does this make searching or dashboards faster by not searching all the data? I guess that relies on needing to search through both reports, if there would ever be a need.
I would hope the RUA and RUF reports are different enough that we could use the same email address and index to create metrics for each without too much overhead.