Why would my audit index grow to over 300g suddenly?
This happened on the SH. The _audit index normally sits at about 80 mb. So to get an alert that I was nearly out of storage for Splunkhome was a surprise.
For immediate impact I altered the size of the index to 500m, let the storage clearup, and reset the storage to allow up to 10g.
Well, with the data already gone, it might be difficult to determine the cause.
However - if it still grows fast now, you could simply take a look at what kind of messages appear very frequently, e.g. using the Pattern tab.
This would most likely give you an idea why this has happened.
Also - is this a personal instance, or a corporate one? Production, dev or test? Available from the internet, or LAN only?
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂
Unless there is a misconfigured input feeding the audit index, the easiest answer is that there seem to be a large amount of changes in your environment. The DIY solution would be to search the audit index to identify what changes are occurring. These could be a script making changes to the Splunk files on disk, or a large/excess amount of activity. Here's a list of all of the activities that would cause an entry in the audit index: https://docs.splunk.com/Documentation/Splunk/7.1.1/Security/AuditSplunkactivity