Hello to all Splunk wizards,
I would like to know if it is possible for me to choose what data to index in Splunk. The reason behind it is to limit the license usage of the Splunk server.
I currently owned a 2GB licensed daily volume, but once I've started monitoring the Fortigate firewall (syslog enabled), it consumes the license's quota till it reaches a violation.
What I'm thinking of doing is to only index the "status = deny" in order to limit the licensed daily volume.
Thanks.
Yes. Have a look at this docs section: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Keep_specific_events_a...
Yes. Have a look at this docs section: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Keep_specific_events_a...
sriousx : It seems that my vendor is not experienced enough to control the severity level on the firewall. But I thank you for your input.
Thanks alot Ayn!!
Can also change logging level on the originating box itself. We do this on a number of network devices (primarily Cisco), and it works just fine.
Vendor docs should have some portion on how to control syslog verbosity.