When I configured the Splunk Add-On for Unix and Linux using defaults and choosing "enable all inputs", its indexing rate is approx 100 KB/s per host, which exceeds our 1 GB/day limit.
This doesn't match up with the indexing volume specified in the "Indexing volume" of the "What data are collected?" page, which says:
The Splunk App for Unix and Linux collects around 200MB of data per host per day. The app can collect slightly more or less based on individual host activity.
I have tried disabling some of the performance-related metrics, increasing polling times, etc. but I couldn't make a significant difference to the indexing rate.
... View more