<ul><li>Splunk heavy forwarders can filter and route event data based on various criteria, including event metadata like source, source type, or event patterns.</li><li>Routing can be configured through props.conf, transforms.conf, and outputs.conf files, with the ability to index data locally before forwarding or perform selective indexing.</li><li>Splunk's search processing language (SPL) supports Boolean operators: AND, OR, NOT, and XOR.</li><li>Exclusion searches using NOT tend to be less efficient than inclusive ones.</li></ul>

Understand More Search Tuning (SPLK-1004 exam preps)

Discover more