tell splunk to stop re-indexing stuff

splunk likes to re-index rotated log files on your local system. these re-index actions contribute to the data index limit of 500mb. curses. so, let's stop that since the data is already in the index.

to /opt/splunk/etc/system/local/inputs.conf add:

[monitor:///var/log]
blacklist = \.(gz|[0-9])$

and there you go.