I have installed Splunk on serverA. ServerA is configured to monitor local events and at the same time is pulling WMI events from serverB.
It is configured as a regular forwarder and is forwarding both events to our Splunk indexer.
When I login to Splunkweb at ServerA,I get a notice bar at the top of the page stating "Daily indexing volume limit exceeded".
Is there any concern for this as it is already configured as a forwarder? Will it have any effect on the events being indexed?
It will not affect indexing but you may wish to resolve it so you don't become immune to noticing error messages. 🙂
Verify the forwarder is not indexing AND forwarding.
From the GUI, you would follow these steps...
1. click Manager > Forwarding and receiving > Forwarding defualts
2. Select radio button "No" for "Store a local copy of forwarded events?"
3. click Save button
This is equivalent to outputs.conf setting:
indexAndForward = false
It is already configured not to "store a local copy of forwarded events".
This serverA is used to pull WMI events from serverB which filters off some windows events and the forwards them to Splunk indexer. It is at the same time forwarding local events to Splunk indexer.In this case is it indexing and forwarding as well?