My splunk enterprise shows that the main index is growing much faster than the squid access logs i sent to squid-access-log index.
Upon review, it seems that during setup of the splunkforwarder service, i added the entire c:\squid\var\logs folder as a directory to be ‘monitored’
This directive was stored in the default splunk directory/etc/app/splunk_TA_Windows/local/input.conf
All i had to do was to remove the entries there then go to the splunk server and enter:
./splunk clean eventdata
(Warning all data in the indexes will be lost)
Filed under: Big Data