I am a newbie and just getting started. I'm only pulling local data from the Splunk Server. I do have a few apps installed for Active directory and Utilization Monitor. I have a 5GB limit limit and my daily usage is already at 2.267GB of usage. What happens when I set up forwarders for at least 60 additional servers? Is my license big enough? Is there a best practice documentation for newbies?
It all depends on the data you want to bring in. On those 60 forwarders, do you know what logs you're looking to ingest? Can you do some manual calculations to determine how much per day that would be. Will each forwarder report the same type of data? Meaning, can you install on one and extrapolate from there?
Are you bringing in anything today that you don't need? Maybe something being ingested by default by the apps you installed?
The documentation is worth a read. But at a high-level, if you go over your license for a day then you get a warning. If you get 5 warnings in a rolling 30 day period then you're in violation. At that point, you won't be able to search your data, however it will still be indexed. You would need to request a reset key to remove the warnings and start - something you'd get from your sales contact or support.