I have a splunk enterprise license of 2GB which is crossing its daily limit frequently
I have configured an email alert when my daily index reaches 1.5GB and daily I get a report of hosts and source types which are cause for the index
so whenever I get an alert i am seeing the hosts which are indexing more and manually stopping splunkd services in that particular host but i want an automatic way which will automatically stop the services on a hosts when my license limit reaches around 1.5 GB
Now, here is the tricky part: Splunk will not pass the search result to this script, but you can pass either an URL or a file name where the event result is available to the alert script. So your alert script must ab able to
read the host name which you want to stop
be able to remote login to this host and stop Splunk via CLI command
As I said, I wouldn't do it this way ..... because, if your script or your search go crazy .. bad things could happen, like stopping the wrong host.