Pasting the suggestions made by asavenko@.

1. Quay sends logs to Splunk in not optimal mode, since January 21 we
   receive around 1 billion connections per day for quay alone. WAF sends
   each log with a separate connection. It should batch them.
   2. Splunk currently receives logs with January 30 timestamp, not sure
   where is there issue here. Maybe some loop?
   3. It seems you are sending ALLOW logs, it's better to send only BLOCK
   action, otherwise you are duplicating logs as we receive the same logs
   from Quay application
   4. There is also quay access logs send by Akamai:
   https://rhcorporate.splunkcloud.com/en-US/app/rh_itml/search?sid=1770394083.105481_EE9B8915-041C-47A0-990F-F53F85FD7FA4
   Maybe we don't need some of these logs?
   These results total around $1000 per day just for Quay AWS costs, not
   including Splunk storage.
   Can you please urgently work on mitigating these issues?