Hi,
we are currently adding data sources to our Splunk environment. We try our best to make it CIM compliant. We have a dedicated ES search head and we do not want ES to look at this data. How can we make sure that it is excluded from ES. I'd rather not set up new dedicated indexers just for the new data since we would probably loose performance and the setup (and therefore maintenance) will become more complicated.
Thanks,
Chris
↧