Hi Splunkers,
we have a lot of files\folders inputs (established on heavy forwarders) and during the last days we've observed substantial increase in indexing volume (even license violation). Analysis reveals re-indexing of events for particular source (4 hosts of the same index and sourcetype) up to 300-700 times during last 2 days (using stats count by _raw) after changing the name of a sourcetype (custom IIS type)
What may cause this behavior and how can I fix it?
Splunk Enterprise 7.2.5
Update: there's the following error: "IndexWriter - The index processor has paused data flow. Too many tsidx files in idx=myindex bucket="$path$/$myindex$/db/hot_v1_714" , waiting for the splunk-optimize indexing helper to catch up merging them. Ensure reasonable disk space is available, and that I/O write throughput is not compromised.
