That should not be the way to do it. An Splunk admin should define the input (using tail method of db connect) to index the data needed. Then the reporting users will query the data already indexed in splunk, that wont generate any licensing cost. So the admin controls the index (and therefore the indexed volume and license) and the users just query the data, and should not be able to index new data.

Regards

Wow you are awesome!!:) Now I have some clarity.
If you can advise, let’s say I have 1 server and 10 SPLUNK users and all have rights to generate reports, prepare charts, dashboard on the basis of queries. What I understood, if any users fire a query SPLUNK will index the data on the basis of that query and side by side it will compare the output size with the licence limit, any time if it crosses the limit we will get a licence warning correct?
Here my question is what if all the users fires different queries and all have different output sizes then what..?

Yes, althougt you are allowed to index more than the limit 3 times in a 30 days window. So for the first dump, you could index all 40gb, get a license warning, and then only index the new daily data.

Thanks for the quick responce.Correct me if I am wrong lets say I have 10 GB Splunk enterprise license,and in splunk if I fire a query "select * from abc" .Here I need to care about that the output size should not more than 10 GB.Is that correct?