I've been able to start pulling AD logs via WMI which is nice and all, but I come in this morning and have 28 some odd million events in WMI:WinEventLog:Security. And a very unhappy splunk server after a long holiday weekend of chewing on events.
Is there a way to discard events past a certain age? We're still in trial mode for proof of concept and I'd like it to stay running a bit longer than a week.....