My organization has a 10G a day data ingest subscription with splunk. Recently, every Tuesday, our firewall data ingest will spike sending us over the 10G limit. How can I find out what is causing this Tuesdays spike? Any suggestion will be appreciated.
You have to investigate your data. Compare your number of events (and length), compare events by loglevel/allowDeny, figure out if your sending or receiving behaviour is different for some devices/IPs etc.