I have 5GB size max per day for a log (s). went above it almost 8 but lost the earliest data. in any file system if there is no space you will get warning but u will not lose your data....for example ...let say having folder in window, linux with 200MB occupied, when the next data is added -- warnig will pop up with some message..
I am not sure about how SPlunk does it..but i think ...what it does..the data is arranged in term of bucket and each bucket has four stages warn-->cold--> hot--> frozen... the data will moved with these stages now and than the old data that x bucket will be replaced with new data so the existing data is lost ...to increase 5GB to 10GB - 20 GB what is the point ...again it can happend...
Guys -- I am not Splunk Admin...just normal user. but I dont get a good answer so far...
the data is arranged in term of bucket and each bucket has four stages warn-->cold--> hot--> frozen
the correct four stages are hot---> warm ---> cold ---> frozen.
I have 5GB size max per day for a log (s). went above it almost 8 but lost the earliest data.
you mean the daily license limit of 5GB ? or some other log limit?
maybe, you have not lost any data. (just not able to search, maybe)
also, what version of Splunk?
this issue is bit confusing.. some more clear info please.
SPlunk has retention period and allocated storage as. ..there are fields called max-daily usages, etc ...yes i lost data otherwise i would not raise this question....
Max-daily usage is 5GB if you go above that then u will lose data..i'm about sure about Splunk version
Max-daily usage is 5GB if you go above that then u will lose data
seems like, daily license limit is 5GB and if you go above the 5GB, you will get license warning, data will be still indexed.
i'm about sure about Splunk version
i think you mistyped. to check your splunk version, on the login screen, lower part you could see like -
"@ 2005-2017 Splunk Inc. Splunk 6.3.4 build cae2458f4aef "