I started to index /var/log and boom, over my limit immediately. How can I even get the feel for this if I cant use it at all? I assumed the indexer would ignore old rotated files, but perhaps it also counts those towards the daily total?
A couple of things to note here with regard to the license volume limit. You are allowed 5 violations(3 with the free license) within a rolling 30 day period before search is disabled. After this, you'd need to wait 30 day before you could search any non internal index again.
If your just testing splunk, move a subset of data from /var/log into another folder. I have an enterprise trial license monitoring /var/log on a laptop, and haven't had any issues with it.
By default, the indexer is going to look at the first 256 bytes of a file and if it matches what we've recorded, it is going to skip indexing those files. If you want to ensure that files are not indexed, you can blacklist those files.
If you need more volume per day, do not hesitate to contact email@example.com and ask for a larger trial license. They will be glad to assist.
When you first install Splunk, and point it at something like a directory to monitor, it's going to index everything in there unless you specify to "tail only". That would account for passing the limit, but doesn't necessarily indicate that you'll continue to do so.
In any case, the enterprise trial volume limit would generally be enough for someone to get familiar with splunk. If you need more volume you would need to contact sales.
You can get a feel for it by indexing a subset of /var/log, or taking advantage of its general analysis capabilities by indexing a specific application log. Take a look at this list of apps. Splunk lets you find a needle in a haystack, but it also does a lot of good when just trying to view data from different angles.