I am using Splunk Enterprise for security purposes...
But there is a lot of extraneous data in my Splunk at the moment. Looking through the dashboards I am finding a lot of performance and operational status data which I don't need. The problem is that my splunk license allows me to analyze 2gb of data in a 24 hour period. I would say that at the moment 70% of the data that goes through the system is not security related and the system was procured as a security monitoring system.
I would like to find a way to reduce the mount of the data that the "forwarders" send back to the Splunk back end for processing. i.e. exclude all of the performance and operational data from the analysis.
My intention is to use that freed up bandwidth to push some Anti Virus and Firewall logs to splunk instead of server performance data.
I would really really appreciate some help with this. I have searched previous questions, but can't seem to find the answer. However, if there is a page you know of where I can find my answer please send me the link :)
Kind Regards
Vera
