That all makes sense to me - one thing to help would be to look a the Graylog Schema so you can be consistent with naming conventions for field names and the like. Also, take into consideration the message you want to drop, particularly chatty ones, that you don’t want. Try to standardize dropping them or shunting them to an index that has a shorter life span. Trimming out parts of Windows messages… some have a paragraph or two of explanation that comes with each message. 