I am still on a trial of the enterprise version. I have one central splunk server and several forwarders setup.
This morning Splunk says: Daily indexing volume limit exceeded.
Can I back track and remove something?
I have one file that was added directly as a input to splunk that generated a lot of traffic. I tried sourcetype=<> | delete but it seems to struggle deleting >20M events.
Is it something I'm doing wrong?
Can I setup Splunk to prune indexed data older than X and I just missed that setting somewhere?
Thanks.
... View more