https://community.splunk.com/t5/Installation/Licence-issue/m-p/40452#M628 <P>When you go to Manager -&gt; License, what does it show as your daily volume? </P> <P>My guess would be that you may be Indexing things you are not aware of.</P> <P>What does Splunk thing you indexed? Try searches like these to check your daily indexing volume totals or volume sorted by index or sourcetype. This will help you confirm that you really are not Indexing more data than 500MB per day.</P> <P>Total:<BR /><BR /> <PRE>index=_internal per_index_thruput earliest=-7d@d latest=now | timechart span=1d eval(sum(kb)/1024) as "Daily Indexing Volume in MB"</PRE></P> <P>By Index:<BR /><BR /> <PRE>index=<EM>internal metrics kb series!=</EM>* "group=per_index_thruput" daysago=7| eval indexed_mb = kb / 1024 | timechart fixedrange=t span=1d sum(indexed_mb) by series</PRE></P> <P>By Sourcetype:<BR /><BR /> <PRE>index=<EM>internal metrics kb series!=</EM>* "group=per_sourcetype_thruput" daysago=7| eval indexed_mb = kb / 1024 | timechart fixedrange=t span=1d sum(indexed_mb) by series</PRE></P> <P>Edit: Original was in GB... I converted to MB for this post.</P> Mon, 28 Sep 2020 12:18:08 GMT Sqig 2020-09-28T12:18:08Z https://community.splunk.com/t5/Installation/Licence-issue/m-p/40451#M627 <P>Hello,<BR /> i am using splunk enterprise (trial) 4.3.3 version.i have indexed the real time log using splunk and scheduled two search alerts for every 4 hours. The file size not reached 500mb but got warning message like limit exceeded twice. is that something i have not indexed properly? if i get a licence will get a same problem right? i beleive other system default indexes utilizing more memory.how to avoid this?</P> Tue, 21 Aug 2012 12:50:15 GMT https://community.splunk.com/t5/Installation/Licence-issue/m-p/40451#M627 sankarr 2012-08-21T12:50:15Z https://community.splunk.com/t5/Installation/Licence-issue/m-p/40452#M628 <P>When you go to Manager -&gt; License, what does it show as your daily volume? </P> <P>My guess would be that you may be Indexing things you are not aware of.</P> <P>What does Splunk thing you indexed? Try searches like these to check your daily indexing volume totals or volume sorted by index or sourcetype. This will help you confirm that you really are not Indexing more data than 500MB per day.</P> <P>Total:<BR /><BR /> <PRE>index=_internal per_index_thruput earliest=-7d@d latest=now | timechart span=1d eval(sum(kb)/1024) as "Daily Indexing Volume in MB"</PRE></P> <P>By Index:<BR /><BR /> <PRE>index=<EM>internal metrics kb series!=</EM>* "group=per_index_thruput" daysago=7| eval indexed_mb = kb / 1024 | timechart fixedrange=t span=1d sum(indexed_mb) by series</PRE></P> <P>By Sourcetype:<BR /><BR /> <PRE>index=<EM>internal metrics kb series!=</EM>* "group=per_sourcetype_thruput" daysago=7| eval indexed_mb = kb / 1024 | timechart fixedrange=t span=1d sum(indexed_mb) by series</PRE></P> <P>Edit: Original was in GB... I converted to MB for this post.</P> Mon, 28 Sep 2020 12:18:08 GMT https://community.splunk.com/t5/Installation/Licence-issue/m-p/40452#M628 Sqig 2020-09-28T12:18:08Z https://community.splunk.com/t5/Installation/Licence-issue/m-p/40453#M629 <P>Hello,</P> <P>Thanks for your reply..i can index 500MB per day using the enterprise version.when i ran the query index volume exceeded twice.I am new to this tool..I have pointed the real time SIP log,every 4 hour serching the keyword ALARM. i believe it's serching from the top of the log file again and again..how to search tail lines in the runtime logs?</P> <P>Thanks<BR /> Sankar</P> Tue, 21 Aug 2012 15:33:38 GMT https://community.splunk.com/t5/Installation/Licence-issue/m-p/40453#M629 sankarr 2012-08-21T15:33:38Z https://community.splunk.com/t5/Installation/Licence-issue/m-p/40454#M630 <P>I'm not sure I'm following. </P> <P>With Splunk, you point it at a logfile and it consumes the entire file. It then continues to consume new lines as they get added to the log file. So you are actually indexing the full volume in the file, not just whatever your results of searches are.</P> Tue, 21 Aug 2012 17:20:21 GMT https://community.splunk.com/t5/Installation/Licence-issue/m-p/40454#M630 Sqig 2012-08-21T17:20:21Z https://community.splunk.com/t5/Installation/Licence-issue/m-p/40455#M631 <P>all the files of a particular folder is not getting imported automatically, only the first file is getting added..please suggest any solution !!</P> Tue, 09 Oct 2012 18:33:45 GMT https://community.splunk.com/t5/Installation/Licence-issue/m-p/40455#M631 abhayneilam 2012-10-09T18:33:45Z