We are in the process of planning our Splunk deployment. We have some where around 5,000 Windows servers that will be using the UF to forward. Currently in our DEV space we are sending to the indexer with no filtering of events. We are doing an exercise to collect only what we need to report or correlate, so our plan is to send to a heavy forwarder.
Can I filter at the heavy forwarder for Windows?
Are there some docs to help me with configuration?
↧