Deployment Architecture

"Daily indexing volume limit exceeded today" What will happen tomorrow?

Katsche
Path Finder

Hi all,

I think this is a question which has been asked several times. I have searched for this answers but still was not able to find a satisfying answer. I am just looking for a simple answer to this question:

I have added lots of data to my Splunk Enterprise test version. This data is about 2,2GB. because of this a reached the limit today getting the message "Daily indexing volume limit exceeded today" today. What will Splunk do tomorrow? Simply go on indexing since the next day has begun or will all data which wasn't indexed today be lost?

Thank you very much. Kind regards,
Katsche

Tags (1)
1 Solution

MarioM
Motivator

Violations occur when you exceed the maximum indexing volume allowed for your license.

If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days.

If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license and search will be disabled.

Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days.

Splunk does not stop indexing your data. Splunk only blocks search while you exceed your license.

More details here: About license violations

View solution in original post

MarioM
Motivator

Violations occur when you exceed the maximum indexing volume allowed for your license.

If you exceed your licensed daily volume on any one calendar day, you will get a violation warning. The message persists for 14 days.

If you have 5 or more warnings on an Enterprise license or 3 warnings on a Free license in a rolling 30-day period, you are in violation of your license and search will be disabled.

Search capabilities return when you have fewer than 5 (Enterprise) or 3 (Free) warnings in the previous 30 days.

Splunk does not stop indexing your data. Splunk only blocks search while you exceed your license.

More details here: About license violations

Katsche
Path Finder

Thank you very much. It is always a pleasure asking questions here. 🙂

0 Karma

MarioM
Motivator

yes disable the data inputs will stop indexing.

You could as well filter data you dont want being indexed using the nullQueue :

http://docs.splunk.com/Documentation/Splunk/4.2.3/Deploy/Routeandfilterdatad#Filter_event_data_and_s...

0 Karma

Katsche
Path Finder

Is it enough to disable the data input I get the data from?

0 Karma

Katsche
Path Finder

What can I do now? Delete the data from the data inputs?

0 Karma

fk319
Builder

The Data will continue to be indexed. I think you have 3 or 5 over the limits and then your indexes will be unsearchable, except for a few internals.

Katsche
Path Finder

So I am better off reinstalling Splunk and indexing the data by hand so that the limit is never exceeded?

0 Karma

fk319
Builder

" If you go over 500MB/day more than 3 times in a 30 day period, Splunk will continue to index your data, but search will be disabled until you are back down to 3 or fewer times in the 30 day period. "

http://docs.splunk.com/Documentation/Splunk/4.1.5/Installation/MoreaboutSplunkwithaFreeLicense

I think the same or similiar is true for Enterprise Licenses.

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...