A directory got added as a data input that shouldn't have, and so now I have
"Daily indexing volume limit exceeded"
messages coming up. So I used the "| delete" function in the search to remove the sourcetype, but I am still getting this message and the data summary is still reporting the deleted data.
Reading everything I can about the clean command I don't think I want to use it, as I have some other good valid data in this splunk instance that I don't want to delete.
Am I missing something?
... View more