Is there any way to pre-filter WMI event logs, e.g. only collect warnings and errors on the Application log, System log and collect all events on the Security log? I'm trying to figure out how to reduce my index amount to control licensing costs.
You can set up regular expressions to route certain data to the nullQueue, which basically means that any events that match the regular expression(s) are discarded prior to indexing and will not count against your license.
Take a look at the following previous post on how to set this up: http://answers.splunk.com/questions/3239/try-to-route-certain-wmi-events-to-nullqueue