https://community.splunk.com/t5/Getting-Data-In/How-to-identify-host-that-is-exhausting-indexing-quota/m-p/296663#M56258 <P>You should be querying the license usage log to accurate comparison of license (daily indexing volume) usage. </P> <P>Try this (from license server. Can query from search head if you're forwarding license server internal logs to your indexers)</P> <PRE><CODE>index=_internal source=*license_usage.log type=Usage earliest=-2d@d | eval host=if(isnull(h) OR len(h)=0,"SQUASHED",h) | bucket span=1d _time | stats sum(b) as usage by _time host | eval usage_GB=round(usage/1024/1024/1024,2) </CODE></PRE> Tue, 16 May 2017 18:30:11 GMT somesoni2 2017-05-16T18:30:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-identify-host-that-is-exhausting-indexing-quota/m-p/296662#M56257 <P>I got the daily indexing quota exceeded in our Splunk v6.1 instance.<BR /> I ran this query:</P> <P>earliest=-2d@d host=* index=* | eval raw_len=len(_raw)/1024/1024 | stats sum(raw_len) as "size/MB" by date_mday, host</P> <P>which gives me a table of date, size (in MB) of events, and hostnames.<BR /> Adding the numbers up, and comparing over the past couple of days, I can't see how the quota was exceeded.</P> <P>Am I missing something in my query to identify the host that did the excessive logging?</P> Tue, 29 Sep 2020 14:05:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-identify-host-that-is-exhausting-indexing-quota/m-p/296662#M56257 nk-1 2020-09-29T14:05:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-identify-host-that-is-exhausting-indexing-quota/m-p/296663#M56258 <P>You should be querying the license usage log to accurate comparison of license (daily indexing volume) usage. </P> <P>Try this (from license server. Can query from search head if you're forwarding license server internal logs to your indexers)</P> <PRE><CODE>index=_internal source=*license_usage.log type=Usage earliest=-2d@d | eval host=if(isnull(h) OR len(h)=0,"SQUASHED",h) | bucket span=1d _time | stats sum(b) as usage by _time host | eval usage_GB=round(usage/1024/1024/1024,2) </CODE></PRE> Tue, 16 May 2017 18:30:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-identify-host-that-is-exhausting-indexing-quota/m-p/296663#M56258 somesoni2 2017-05-16T18:30:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-identify-host-that-is-exhausting-indexing-quota/m-p/296664#M56259 <P>Thanks for that query, somesoni2! <BR /> The host has been identified. It appears that the Forwarder on that host was not sending events for some time, and when the host was rebooted, all the backlogged events possibly got sent at once.<BR /> How does one flush the Forwarder before a reboot in such situations, to avoid a torrent of events?<BR /> These are not critical events to keep.</P> Tue, 16 May 2017 22:36:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-identify-host-that-is-exhausting-indexing-quota/m-p/296664#M56259 nk-1 2017-05-16T22:36:06Z https://community.splunk.com/t5/Getting-Data-In/How-to-identify-host-that-is-exhausting-indexing-quota/m-p/296665#M56260 <P>Found this in the docs, e.g. <BR /> ignoreOlderThan = 2d</P> <P>in inputs.conf</P> <P>(looks like that should prevent excessive logging of older events)</P> Thu, 18 May 2017 17:56:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-identify-host-that-is-exhausting-indexing-quota/m-p/296665#M56260 nk-1 2017-05-18T17:56:59Z