Archive
Highlighted

"Daily indexing volume limit exceeded today" What will happen tomorrow?

Path Finder

Hi all,

I think this is a question which has been asked several times. I have searched for this answers but still was not able to find a satisfying answer. I am just looking for a simple answer to this question:

I have added lots of data to my Splunk Enterprise test version. This data is about 2,2GB. because of this a reached the limit today getting the message "Daily indexing volume limit exceeded today" today. What will Splunk do tomorrow? Simply go on indexing since the next day has begun or will all data which wasn't indexed today be lost?

Thank you very much. Kind regards,
Katsche

Tags (1)
Highlighted

Re: "Daily indexing volume limit exceeded today" What will happen tomorrow?

Contributor

The Data will continue to be indexed. I think you have 3 or 5 over the limits and then your indexes will be unsearchable, except for a few internals.

Highlighted

Re: "Daily indexing volume limit exceeded today" What will happen tomorrow?

Contributor

" If you go over 500MB/day more than 3 times in a 30 day period, Splunk will continue to index your data, but search will be disabled until you are back down to 3 or fewer times in the 30 day period. "

http://docs.splunk.com/Documentation/Splunk/4.1.5/Installation/MoreaboutSplunkwithaFreeLicense

I think the same or similiar is true for Enterprise Licenses.

0 Karma
Highlighted

Re: "Daily indexing volume limit exceeded today" What will happen tomorrow?

Path Finder

So I am better off reinstalling Splunk and indexing the data by hand so that the limit is never exceeded?

0 Karma
Highlighted

Re: "Daily indexing volume limit exceeded today" What will happen tomorrow?

Motivator

Violations occur when you exceed the maximum indexing volume allowed for your license.

If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days.

If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license and search will be disabled.

Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days.

Splunk does not stop indexing your data. Splunk only blocks search while you exceed your license.

More details here: About license violations

View solution in original post

Highlighted

Re: "Daily indexing volume limit exceeded today" What will happen tomorrow?

Path Finder

What can I do now? Delete the data from the data inputs?

0 Karma
Highlighted

Re: "Daily indexing volume limit exceeded today" What will happen tomorrow?

Path Finder

Is it enough to disable the data input I get the data from?

0 Karma
Highlighted

Re: "Daily indexing volume limit exceeded today" What will happen tomorrow?

Motivator

yes disable the data inputs will stop indexing.

You could as well filter data you dont want being indexed using the nullQueue :

http://docs.splunk.com/Documentation/Splunk/4.2.3/Deploy/Routeandfilterdatad#Filter_event_data_and_s...

0 Karma
Highlighted

Re: "Daily indexing volume limit exceeded today" What will happen tomorrow?

Path Finder

Thank you very much. It is always a pleasure asking questions here. 🙂

0 Karma
Highlighted

Re: "Daily indexing volume limit exceeded today" What will happen tomorrow?

Splunk Employee
Splunk Employee