Installed Splunk on Friday, added my AD controllers and my Exchange server, followed all the instructions, and we've done like 60 GB a day for the past few days. Is this just loading in old data or something or is there a switch somewhere I messed up? We have 90 users and a simple domain structure, I can't imagine we're ingesting this much data a day in AD logs.
Setup is very simple: master head with 2 indexers, universal forwarder on each of the Windows hosts, deployment server app setting each universal forwarder to get a copy of Splunk_TA_windows, TA-DNSServer-NT6, and TA-DomainController-2012R2 (we're pure 2012 R2). We also push the indexer IPs via a deployment app. The outputs.conf has both indexers in a single server stanza, which I believe means it load balances?
Either way, I can't justify buying 100GB of license for 6 servers.
... View more