The issue you have is this.
You have installed the ta-nix app which monitors audit events on your Splunk server.
When a file is modified on the Splunk server, an event is generated in audit.log
Splunk then indexes audit.log, and writes the result to the Splunk index, in /opt/Splunk/var/....
This in turn generates a new event in audit.log which...you guessed it, gets indexed, and written, and triggers another event in audit.log
As well as writing index files, your searches are also creating objects in the same path, so your Splunk server is eating itself!
Two solutions:
A.) reconfigure the auditd service to ignore changes in the /opt/Splunk/var/ paths
B.) configure the ta-nix app to ignore audit.log on Splunk servers.
... View more