You can use splunk for free for up to 500 megabytes of indexed data daily. To make sure you do not run beyond this limitation, use the following query:
index=_internal group=”per_source_thruput” NOT series=”*splunk/var/log*” | eval mb=kb/1024| timechart span=1d sum(mb) by series
When drawing a bar graph, you directly see, what type of log is filling your indexes. In this case the “ps” logs.
