Thank You for you response .Does this setting helps to reduce the license usage?

If the data is not indexed it won’t be counted against license .

Thank you.So disabling will not get indexed right?..Just to confirm

Yes it won’t get indexed.

Also if you have the index enabled again then any data queued up in forwarder will get indexed to it .

So the events dont drop , are they still queued ? .If I want to ignore them and only get those events from the time it is enabled ,how can I do that

https://answers.splunk.com/answers/179987/if-i-disable-an-index-will-events-for-that-index-s.html

Hello @hmarkus

Thank you for your mail .We have a indexer cluster so on which box do I need to disable it.If I want to disable via CLI .What is that I need to add to that index is it enabled = 1 for that index

As @Vijeta mentioned, you can also disable it by adding the disabled = true to your indexes.conf.
In an index cluster I would add the line in the indexes.conf in your app on the Cluster Master, that is used to configure all indexes in your Cluster (in $SPLUNK_HOME/etc/master-apps/), and than push your new configuration bundle.
On a single instance you could use the CLI

@hmarkus .Thank you for your reply .Once I enable back do i get the old events that were already indexed and do I get the data during the index disabled time .

If I want to ignore the data which is queued ,how can I do that and I do get the data whihc was indexed before the index is disabled right?

Thanks in Advance