Thank you for your replies @livehybrid  @PrewinThomas  index=_internal source="*license_usage.log" type=Usage h="<forwader name>" | rename _time as Date | eval Date=strftime(Date,"%b-%y") | stats sum(b) as license by Date h | eval licenseGB =round(license/1024/1024/1024,3) | rename licenseGB as TB How to calculate data ingestion from a specific He... - Splunk Community using this search from the community, it seems that my heavy forwarder with throttling issue is forwarding about 16-28 GB daily as opposed to another heavy forwarder forwarding about >2GB daily. Currently in the limits.conf file, throughput rate is configured at 0 (hence no limit). Is there any way I can still configure the heavy forwarder to take on such a load of 16GB daily?  Increasing the hardware on the heavy forwarder did not seem to do the trick so not sure if I can reconfigure the heavy forwarder limits. Additionally, is 16GB too high? not sure what is the benchmark for this as I am rather new.  Answering the question on the queues that were getting choked up, "1 - Parsing Queue 2 - Aggregation Queue 3 - Typing Queue 4 - Indexing Queue 5 - TcpOut Queue", all 5 queues are constantly at near 100%.  query used:  index=_internal source=*metrics.log sourcetype=splunkd group=queue (name=parsingqueue OR name=aggqueue OR name=typingqueue OR name=indexqueue OR name=tcpout* OR name=tcpin_queue) host IN (<your host>) | replace tcpout* with tcpoutqueue in name | eval name=case(name=="tcpin_queue","0 - TcpIn Queue",name=="aggqueue","2 - Aggregation Queue",name=="indexqueue","4 - Indexing Queue",name=="parsingqueue","1 - Parsing Queue",name=="typingqueue","3 - Typing Queue",name=="tcpoutqueue","5 - TcpOut Queue") | eval max=if(isnotnull(max_size_kb),max_size_kb,max_size) | eval curr=if(isnotnull(current_size_kb),current_size_kb,current_size) | eval fill_perc=round((curr/max)*100,2) | timechart span=30m p90(fill_perc) AS fill_perc by name ... View more