Hi!
I'm pretty new to Splunk and at the moment, I'm trying to set up a centralized repository for all my Windows events via WMI. So far this works fine.
Only issue I have is that every time I add a server, splunk retrieves all the events on the Windows Server - even old ones. This leads to a license violation.
Can I somehow set a filter that when I add a new server, have it start with the event collection only from the moment I add the server so I don't get all the "historical" data?
Thanks!!
... View more