https://community.splunk.com/t5/Getting-Data-In/Logs-not-coming-to-splunk-from-UF/m-p/648830#M110276 <P>This is interesting since the license warning says about 5 violations during 30-day period which is the typical setting for a Splunk Free instance. Your environment seems much bigger than the one for Splunk Free instance.</P><P>There is probably more things wrong underneath.</P><P>We don't know your event routing, we don't know your architecture, we don't know your search settings.</P><P>I'd advise you get a consultant to look over your environment because it looks as if you have more problems than just events which are supposedly not showing in search (but they might be although they might be wrongly parsed and misplaced, for example).</P> Fri, 30 Jun 2023 16:53:13 GMT PickleRick 2023-06-30T16:53:13Z https://community.splunk.com/t5/Getting-Data-In/Logs-not-coming-to-splunk-from-UF/m-p/648798#M110269 <P>Hi team,<BR /><BR />Logs are not coming to splunk .The UF is working fine and even connected to indexers, inputs.conf and everything seems perfect.<BR />we are facing this issue for few UFs only.<BR />can you suggest something which i should check?&nbsp;</P><P>These are the warnings we are getting :-&nbsp;</P><DIV class=""><SPAN class=""><SPAN class=""><SPAN class="">1. Search peer dallpspiap090m has the following message: Daily indexing volume limit exceeded. Per the Splunk Enterprise license policy in effect, search is disabled after 5 warnings over a 30-day window. Your Splunk deployment is subject to license enforcement. See<SPAN>&nbsp;<A href="https://splunkusle.vtitel.net/en-US/manager/search/licenseusage" target="_blank" rel="noopener">License Manager<SPAN>&nbsp;for details.<BR /></SPAN></A></SPAN></SPAN></SPAN></SPAN><P><STRONG>2. Root Cause(s):</STRONG></P><UL><LI><SPAN>Sum of 3 highest per-cpu iowaits reached red threshold of 15</SPAN></LI><LI><SPAN>Sum of 3 highest per-cpu iowaits reached yellow threshold of 7</SPAN></LI><LI><SPAN><SPAN>Maximum per-cpu iowait reached red threshold of 10</SPAN></SPAN><UL><LI><DIV class=""><DIV><STRONG><STRONG>Unhealthy Instances:</STRONG></STRONG><UL><LI>dallpshdap010m</LI><LI>mialvshdap010m.vtitel.net</LI><LI>dallvissap010m.vtitel.net</LI><LI>mialvissap030m.vtitel.net</LI><LI>dallvissap030m.vtitel.net</LI><LI>mialvissap010m.vtitel.net</LI><LI>dallvissap020m.vtitel.net</LI><LI>mialvissap020m.vtitel.net<H3><SPAN>&nbsp;3.&nbsp;<SPAN>Search Lag</SPAN></SPAN></H3><UL><LI><STRONG><STRONG>Root Cause(s):</STRONG></STRONG><UL><LI><SPAN>The percentage of non high priority searches lagged (67%) over the last 24 hours is very high and exceeded the yellow thresholds (40%) on this Splunk instance. Total Searches that were part of this percentage=268303. Total lagged Searches=182113<SPAN class=""><BR /><BR /><BR /></SPAN></SPAN></LI></UL></LI></UL></LI></UL></DIV></DIV></LI></UL></LI></UL></DIV> Fri, 30 Jun 2023 11:47:10 GMT https://community.splunk.com/t5/Getting-Data-In/Logs-not-coming-to-splunk-from-UF/m-p/648798#M110269 Hemant93 2023-06-30T11:47:10Z https://community.splunk.com/t5/Getting-Data-In/Logs-not-coming-to-splunk-from-UF/m-p/648802#M110270 <P>Hi</P><P>your logs are coming to splunk, but you cannot search those as you are ingested too many times over your license quota.</P><LI-CODE lang="markup"> Search peer dallpspiap090m has the following message: Daily indexing volume limit exceeded. Per the Splunk Enterprise license policy in effect, search is disabled after 5 warnings over a 30-day window. Your Splunk deployment is subject to license enforcement. See License Manager for details.</LI-CODE><P>You need to order Unlock license from Splunk. Contact to your account team and ask this.</P><P>r. Ismo&nbsp;</P> Fri, 30 Jun 2023 11:51:17 GMT https://community.splunk.com/t5/Getting-Data-In/Logs-not-coming-to-splunk-from-UF/m-p/648802#M110270 isoutamo 2023-06-30T11:51:17Z https://community.splunk.com/t5/Getting-Data-In/Logs-not-coming-to-splunk-from-UF/m-p/648803#M110271 <P>Hi Isoutamo,</P><P>&nbsp;</P><P>But we are getting for most of the servers but not getting logs for recently configured servers.<BR /><BR /><BR /></P> Fri, 30 Jun 2023 12:03:18 GMT https://community.splunk.com/t5/Getting-Data-In/Logs-not-coming-to-splunk-from-UF/m-p/648803#M110271 Hemant93 2023-06-30T12:03:18Z https://community.splunk.com/t5/Getting-Data-In/Logs-not-coming-to-splunk-from-UF/m-p/648830#M110276 <P>This is interesting since the license warning says about 5 violations during 30-day period which is the typical setting for a Splunk Free instance. Your environment seems much bigger than the one for Splunk Free instance.</P><P>There is probably more things wrong underneath.</P><P>We don't know your event routing, we don't know your architecture, we don't know your search settings.</P><P>I'd advise you get a consultant to look over your environment because it looks as if you have more problems than just events which are supposedly not showing in search (but they might be although they might be wrongly parsed and misplaced, for example).</P> Fri, 30 Jun 2023 16:53:13 GMT https://community.splunk.com/t5/Getting-Data-In/Logs-not-coming-to-splunk-from-UF/m-p/648830#M110276 PickleRick 2023-06-30T16:53:13Z https://community.splunk.com/t5/Getting-Data-In/Logs-not-coming-to-splunk-from-UF/m-p/648835#M110277 <P>Definitely there seems to be something else too. 5/30 was normal limit with older 7&amp;8 versions, not only free. If your instance is using free license then you cannot get unlock license. That’s just for paid customers!</P> Fri, 30 Jun 2023 18:39:25 GMT https://community.splunk.com/t5/Getting-Data-In/Logs-not-coming-to-splunk-from-UF/m-p/648835#M110277 isoutamo 2023-06-30T18:39:25Z