Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Daily indexing volume limit exceeded shown on forwarder

remy06
Contributor
‎10-20-2010 03:52 AM

Hi,

I have installed Splunk on serverA. ServerA is configured to monitor local events and at the same time is pulling WMI events from serverB.

It is configured as a regular forwarder and is forwarding both events to our Splunk indexer.

When I login to Splunkweb at ServerA,I get a notice bar at the top of the page stating "Daily indexing volume limit exceeded".

Is there any concern for this as it is already configured as a forwarder? Will it have any effect on the events being indexed?

Tags (3)
0 Karma
Reply

remy06
Contributor
‎11-10-2010 04:50 AM

splunk 4.1.5. Have configured it as a forwarder so should be using the forwarder license.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎11-03-2010 03:28 PM

You never stated what version of Splunk this is, or what license you are using.

0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎10-20-2010 02:13 PM

It will not affect indexing but you may wish to resolve it so you don't become immune to noticing error messages.  🙂

Verify the forwarder is not indexing AND forwarding.

From the GUI, you would follow these steps...

   1. click Manager > Forwarding and receiving > Forwarding defualts
   2. Select radio button "No" for "Store a local copy of forwarded events?"
   3. click Save button

This is equivalent to outputs.conf setting:

indexAndForward = false
0 Karma
Reply

remy06
Contributor
‎10-29-2010 08:33 AM

It seems to be still performing its task..but the notice is still there..Anyone?

0 Karma
Reply

remy06
Contributor
‎10-21-2010 01:44 AM

It is already configured not to "store a local copy of forwarded events".

This serverA is used to pull WMI events from serverB which filters off some windows events and the forwards them to Splunk indexer. It is at the same time forwarding local events to Splunk indexer.In this case is it indexing and forwarding as well?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...