I've been trying to get a new index built to import some IIS logs and in the process of importing and deleting content to get the formats right, I've tripped over the 500MBytes per day limit of the Free License. Trouble is, I'm hoping to back fill the final version index with some historical data but of course I'm already over the daily limit.
From what I've read, the daily limit counts as one violation per day if the daily indexed volume remains at midnight. So I guess my question is, as a one off, if I continue with the backfill (bearing in mind my Splunk box is also continuing to recieve it's normal syslog traffic of around 45Mbytes per day too), will I just count as a single violation even if I'm over by a couple of hundred meg?
Moving forward, the IIS boxes are generating about 90Mbyes per day between them, so I would normally be well under the 500 MBytes limit.
Thanks and best regards.
if I recall it right, if you hit a license violation it does not matter how much you are over the limit .... but keep in mind that each violation counts for 30 days. So 3 violation within a rolling 30 days and you cannot search your data anymore.
read more here
Yes, but just be careful about the 30 days. It is a rolling 30 day window so if you had one violation and 29 days later a second violation, the countdown would restart. 29 days after your second violation you would still have 2 violations - you need to go 30 days completely free of violations to reset the count.
Yes, the splunk license manager doesn't care whether you exceed by 10MB or 500GB, the violations count the same. As long as you don't have 3 violations in 30 days, you'll be fine. Just get all your data in within the 2 days.
Hi MuS. That seems to be the understanding from most people too, including the Splunk partner I spoke to earlier. I've added the remaining data I wanted to get in and moving forward we will be way below the daily limit.