Splunk is absolutely case-sensitive - except when a user types in the search bar: then it just case-sensitive sometimes.
When editing any .conf file, always respect case and you will do better!
The warm data will be written to the appropriate folder in E:. When the partition is full or the maximum number of warm buckets is reached, the oldest bucket in the warm folder will be moved to 😧
If you are over the size limits now, Splunk will start moving buckets right away until your indexes are with the limits. After that, the Splunk daemon will check regularly. I don't know how often exactly, but it will happen at least every time a new bucket is filled, and probably much more often than that.
... View more