I think you should open a support ticket for this. ... View more

Oh, fixed it. In my particular case, it was just a permissions issue, as the importtool command runs as "splunk" user,  and I had the .csv files as root with 600 permissions, so, make sure splunk user have read access to the .csv files. So, a command like this should work: /opt/splunk/bin/splunk cmd importtool /[splunk_hot_data_dir]/[indexname]/db/[new.bucket.name] exported.indexname.db.file.csv remember also that you need to specify a new bucket directory inside "db" dir, (you can create it manually or splunk will do it for you)   ... View more

You're overthinking it. Splunk indexers are specifically designed to handle the constant stream of data coming in. In fact, if for some reason Splunk slows down, the downstream forwarders will just queue up. How are you sending the data to Splunk? I ask because in normal usage of Splunk you should never have to worry about this topic. If I remember correctly, the indexing process will use about one core of the CPU so the other cores are available for returning search results of that data. If that load is insufficient, increase the indexing pipelines (more cores used) and increase the indexers (better data distribution). Also, won't the users be misled if they try to run reports on the data and don't realize that it's incomplete or not currently sending? I'm not sure if you can tell, but I'm very concerned by the question. I am confident that any means of modulating the data flow will provide a terrible experience with the Splunk platform. Respond back with more info and I'm happy to answer other concerns about this. ... View more