I am still on a trial of the enterprise version. I have one central splunk server and several forwarders setup.

This morning Splunk says: Daily indexing volume limit exceeded.

Can I back track and remove something?

I have one file that was added directly as a input to splunk that generated a lot of traffic. I tried sourcetype=<> | delete but it seems to struggle deleting >20M events.

Is it something I'm doing wrong?

Can I setup Splunk to prune indexed data older than X and I just missed that setting somewhere?

Thanks.