Splunk Enterprise

indexing volume limit being exceeded

desimpkins
Explorer

Hello all,
I've got what im sure is a simple issue to resolve but i cant for the life of me find any documentation or posts that can provide a good answer or instruction set.
Im new to Splunk, i've setup a server under a free license and have got three windows 7 PCs with Universal Forwarders installed on them, forwarding the four windows logs to it (successfully).
My issue is that my splunk 'server' says it's indexing 2GB per day!

###### OS Logs ######
[WinEventLog:Application]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5

[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5

[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5

Im finding it hard to believe that three normal workstations (two of which are idle) can be consuming so much, can someone assist with how to refine my inputs? perhaps even point me towards some descriptive documentation? I had hoped to get some basic info to monitor an environment of about 30 workstations and 30 servers but perhaps 500MB per day was never going to be enough for this task...

Any help greatly appreciate!

Daniel

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

If you just installed these forwarders, they will go through the existing log files as well, so there will be an initial peak, as the historical events are being processed.

Download and install the Splunk Deployment Monitor app, which will give you a nice set of graphs and charts covering your license usage.

/K

0 Karma

desimpkins
Explorer

ok thanks guys - appreciate you taking the time to reply. events being indexed are whatever comes configured from a Windows 7 install, but i take your point - i need to do more homework on my end, it must be entirely possible that three machines generate a huge amount of logs by default, because Windows overwrites itself it never accumulates larger than 20mb or so.
Thanks again.

0 Karma

Ayn
Legend

I guess you could look what you're actually getting into Splunk to see what the bulk of these events is made up of?...

kristian_kolb
Ultra Champion

Then I would suggest that you check your auditing policies. Control Panel -> Administrative Tools -> Local Security Policy -> Auditing Policy (I believe) on a standalone PC.

It could be that you have enabled auditing of too many types of event - so that you actually generate a lot of messages (usually in the Security log). Or perhaps you have a lot of applications logging to the Application event log.

Hard to tell from here.

/k

desimpkins
Explorer

appreciate the reply - and will download that app. But in the mean time, i understand the initial spike but it's been a week or so and still unusually high (IMO) so im wondering how to refine the input

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...