I am going slightly over my license limit from time to time because of the Checkpoint firewall logs. Is there a way to aggregate some of the firewalls logs before start indexing them into the Splunk indexers? Or the only option would be to add another 20GB of license to Splunk.
I'm not aware of any option to do this. You could potentially try to hack your own via transforms or unarchive_cmd (search on answers for examples of either), but the Check point stuff can't really be aggregated easily.
I'm not aware of any option to do this. You could potentially try to hack your own via transforms or unarchive_cmd (search on answers for examples of either), but the Check point stuff can't really be aggregated easily.