We are ingesting syslog which has approximately 2.5 million events every 15 mins.
Are there any best practices or recommendations to optimise the index\buckets in this scenario
thx
I hope your question is related to Splunk indexing and NOT configuration for syslog?
some of the practices we follow