https://community.splunk.com/t5/Deployment-Architecture/Why-would-my-audit-index-grow-to-over-300g-suddenly/m-p/376805#M13842 <P>Unless there is a misconfigured input feeding the audit index, the easiest answer is that there seem to be a large amount of changes in your environment. The DIY solution would be to search the audit index to identify what changes are occurring. These could be a script making changes to the Splunk files on disk, or a large/excess amount of activity. Here's a list of all of the activities that would cause an entry in the audit index: <A href="https://docs.splunk.com/Documentation/Splunk/7.1.1/Security/AuditSplunkactivity">https://docs.splunk.com/Documentation/Splunk/7.1.1/Security/AuditSplunkactivity</A></P> Thu, 07 Jun 2018 17:40:00 GMT jowenssi 2018-06-07T17:40:00Z https://community.splunk.com/t5/Deployment-Architecture/Why-would-my-audit-index-grow-to-over-300g-suddenly/m-p/376803#M13840 <P>Why would my audit index grow to over 300g suddenly?<BR /> This happened on the SH. The _audit index normally sits at about 80 mb. So to get an alert that I was nearly out of storage for Splunkhome was a surprise.<BR /> For immediate impact I altered the size of the index to 500m, let the storage clearup, and reset the storage to allow up to 10g.</P> Thu, 07 Jun 2018 17:28:45 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-would-my-audit-index-grow-to-over-300g-suddenly/m-p/376803#M13840 MikeBertelsen 2018-06-07T17:28:45Z https://community.splunk.com/t5/Deployment-Architecture/Why-would-my-audit-index-grow-to-over-300g-suddenly/m-p/376804#M13841 <P>Well, with the data already gone, it might be difficult to determine the cause.<BR /> However - if it still grows fast now, you could simply take a look at what kind of messages appear very frequently, e.g. using the Pattern tab.<BR /> This would most likely give you an idea why this has happened.<BR /> Also - is this a personal instance, or a corporate one? Production, dev or test? Available from the internet, or LAN only?</P> <P>Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 07 Jun 2018 17:39:53 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-would-my-audit-index-grow-to-over-300g-suddenly/m-p/376804#M13841 xpac 2018-06-07T17:39:53Z https://community.splunk.com/t5/Deployment-Architecture/Why-would-my-audit-index-grow-to-over-300g-suddenly/m-p/376805#M13842 <P>Unless there is a misconfigured input feeding the audit index, the easiest answer is that there seem to be a large amount of changes in your environment. The DIY solution would be to search the audit index to identify what changes are occurring. These could be a script making changes to the Splunk files on disk, or a large/excess amount of activity. Here's a list of all of the activities that would cause an entry in the audit index: <A href="https://docs.splunk.com/Documentation/Splunk/7.1.1/Security/AuditSplunkactivity">https://docs.splunk.com/Documentation/Splunk/7.1.1/Security/AuditSplunkactivity</A></P> Thu, 07 Jun 2018 17:40:00 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-would-my-audit-index-grow-to-over-300g-suddenly/m-p/376805#M13842 jowenssi 2018-06-07T17:40:00Z