Why would my audit index grow to over 300g suddenly?
This happened on the SH. The _audit index normally sits at about 80 mb. So to get an alert that I was nearly out of storage for Splunkhome was a surprise.
For immediate impact I altered the size of the index to 500m, let the storage clearup, and reset the storage to allow up to 10g.
Unless there is a misconfigured input feeding the audit index, the easiest answer is that there seem to be a large amount of changes in your environment. The DIY solution would be to search the audit index to identify what changes are occurring. These could be a script making changes to the Splunk files on disk, or a large/excess amount of activity. Here's a list of all of the activities that would cause an entry in the audit index: https://docs.splunk.com/Documentation/Splunk/7.1.1/Security/AuditSplunkactivity
Well, with the data already gone, it might be difficult to determine the cause.
However - if it still grows fast now, you could simply take a look at what kind of messages appear very frequently, e.g. using the Pattern tab.
This would most likely give you an idea why this has happened.
Also - is this a personal instance, or a corporate one? Production, dev or test? Available from the internet, or LAN only?
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂