After I configured the product to send events to Splunk using the SIEM action, I noticed that the Journal data set fills up quickly. What can I do to resolve this issue?
With SIEM actions, the volume of successful and failed actions that are logged in the Journal data set might be high depending on your site's environment. By default(with TR95499 or RO95499), the product logs only the failed actions to reduce the number of actions that are logged in the Journal data set. If your site is not using the default option, your Journal data set can fill up quickly.
Do the following steps as needed: