i noticed pan:traffic logs is consuming 100% of our daily allowance. I need help restricting some the logs that come form the pan traffic in into splunk.
The PAN app does a good job of splitting things into sourcetypes. Are you sure that you need all of them? It would be very easy to make a slight adjustment to the app to drop some of them. You can also drop by host and that would be even easier if you are sending through syslog because you can do a host filter there.