Hello to all Splunk wizards,
I would like to know if it is possible for me to choose what data to index in Splunk. The reason behind it is to limit the license usage of the Splunk server.
I currently owned a 2GB licensed daily volume, but once I've started monitoring the Fortigate firewall (syslog enabled), it consumes the license's quota till it reaches a violation.
What I'm thinking of doing is to only index the "status = deny" in order to limit the licensed daily volume.
Thanks.
... View more