I think this is a question which has been asked several times. I have searched for this answers but still was not able to find a satisfying answer. I am just looking for a simple answer to this question:
I have added lots of data to my Splunk Enterprise test version. This data is about 2,2GB. because of this a reached the limit today getting the message "Daily indexing volume limit exceeded today" today. What will Splunk do tomorrow? Simply go on indexing since the next day has begun or will all data which wasn't indexed today be lost?
Thank you very much. Kind regards,
The Data will continue to be indexed. I think you have 3 or 5 over the limits and then your indexes will be unsearchable, except for a few internals.
" If you go over 500MB/day more than 3 times in a 30 day period, Splunk will continue to index your data, but search will be disabled until you are back down to 3 or fewer times in the 30 day period. "
I think the same or similiar is true for Enterprise Licenses.
So I am better off reinstalling Splunk and indexing the data by hand so that the limit is never exceeded?
Violations occur when you exceed the maximum indexing volume allowed for your license.
If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days.
If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license and search will be disabled.
Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days.
Splunk does not stop indexing your data. Splunk only blocks search while you exceed your license.
More details here: About license violations
yes disable the data inputs will stop indexing.
You could as well filter data you dont want being indexed using the nullQueue :