Hello,
I'm trying to limit the amount of data that SPLUNK indexes daily and I noticed that a bunch of our server log files contain lots of reduntant data and hence can be skipped. HOWEVER, the "useless" files live in the same folders as some of the "useful" files. Question: is there a way to segregate files that Forwarders pick up from the same directory (we have both Windows and Linux servers)?
Thanks,
leo
Sure. Check out the whitelisting/blacklisting mechanisms in inputs.conf.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf