Hello Splunkers,
Will EVENT_BREAKER configuration be a good idea to reduce indexer stickiness for a Splunk UF collecting windows logs via windows event forwarding or will it be handled natively by splunk as WinEventLog://ForwardedEvents is a splunk managed mechanism much like the WinEventLog://Security ?
[WinEventLog://ForwardedEvents]
sourcetype=WinEventLog:ForwardedEvents
index = my_windows_index
↧