When you first start any monitor input, Splunk reads the existing files and directories. Typically, there are weeks of data in these files and it will take a while for Splunk to "catch up." So in the beginning, Splunk will be indexing much more data than normal.
If this is a problem for you, I suggest:
1. Identify the files and directories being monitored. One of them is probably /var/log
2. Go to each file/directory mentioned and "tidy it up." In particular, /var/log may have many old files that could be deleted. Or at least, if you don't want Splunk to index the file, move it to another directory, like /var/oldlogs
3. Disable any monitor inputs in the linux app that you want to ignore