https://community.splunk.com/t5/Getting-Data-In/Searching-w-o-Indexing/m-p/94598#M19682 <P>Is there a way to access SplunkWeb without turning on indexing? My license just got crushed by a security audit team, and we're going way over our license each day as the logs play catch-up. After a while it should return to normal, but is there any way to access the data by say, stopping indexing before I go over the license limit?</P> Fri, 16 Mar 2012 14:00:21 GMT jam678 2012-03-16T14:00:21Z https://community.splunk.com/t5/Getting-Data-In/Searching-w-o-Indexing/m-p/94598#M19682 <P>Is there a way to access SplunkWeb without turning on indexing? My license just got crushed by a security audit team, and we're going way over our license each day as the logs play catch-up. After a while it should return to normal, but is there any way to access the data by say, stopping indexing before I go over the license limit?</P> Fri, 16 Mar 2012 14:00:21 GMT https://community.splunk.com/t5/Getting-Data-In/Searching-w-o-Indexing/m-p/94598#M19682 jam678 2012-03-16T14:00:21Z https://community.splunk.com/t5/Getting-Data-In/Searching-w-o-Indexing/m-p/94599#M19683 <P>Not really, but I think there is a better way to resolve this situation than turning off indexing. If you're an enterprise customer you're allowed 5 violations within a 30 day rolling window, so a couple of violations shouldn't be a big deal. Additionally, running with the same presumption, you can request a license reset from support/sales. </P> <P>The thing to do here is determine what is causing the violations with the searches you can find here: </P> <P><A href="http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume">http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume</A></P> <P>Take a look at the section that says 'Quick summary information by host, source, source type, and index', it'll give you some searches that will identify broadly the areas where you're volume is being used. </P> <P>From there use the information at this link to route unnecessary </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad</A></P> <P>The section you're looking for is 'Filter event data and send to queues'.</P> <PRE><CODE>You can eliminate unwanted data by routing it to nullQueue, Splunk's /dev/null equivalent. When you filter out data in this way, the filtered data is not forwarded or added to the Splunk index at all, and doesn't count toward your indexing volume. </CODE></PRE> Fri, 16 Mar 2012 14:22:19 GMT https://community.splunk.com/t5/Getting-Data-In/Searching-w-o-Indexing/m-p/94599#M19683 jbsplunk 2012-03-16T14:22:19Z https://community.splunk.com/t5/Getting-Data-In/Searching-w-o-Indexing/m-p/94600#M19684 <P>Thanks, that should work - didn't know about directing data to /dev/null, that should be a huge help. </P> <P>There aren't any limitations to how much over the license you can go in one day, right? Say I have a 10GB License, I can index, say, 50GB that one day as long as I don't do it 5 times over 30 days?</P> Mon, 19 Mar 2012 12:21:27 GMT https://community.splunk.com/t5/Getting-Data-In/Searching-w-o-Indexing/m-p/94600#M19684 jam678 2012-03-19T12:21:27Z https://community.splunk.com/t5/Getting-Data-In/Searching-w-o-Indexing/m-p/94601#M19685 <P>Your understanding is correct, you won't stop indexing at whatever your indexing limit is, just incur a violation. Even if you had 6 violations, search would be the only thing affected.</P> Mon, 19 Mar 2012 12:57:16 GMT https://community.splunk.com/t5/Getting-Data-In/Searching-w-o-Indexing/m-p/94601#M19685 jbsplunk 2012-03-19T12:57:16Z